Monero Project announced it had investigated the theft of money after a 64-bit Linux command line (CLI) Monero installation package downloaded by the official download page. “The CLI installation package downloaded from http://getmonero.org may have been compromised in the past 24 hours,” the Monroe coin team said on Twitter. It is currently under investigation. ”
According to reports and confirmations from multiple users on GitHub, Reddit and Twitter, the installation package provided by Theron Coin may contain malware that has its HASH values for more than 30 minutes. Currently, all binaries are clean because they are currently delivered from a secure standby host server.
In the Reddit community, Monero subreddit moderators encourage users to “check the integrity of the binary files and verify that they are signed by Fluffypony’s GPG key.” Although windows and macOS files have not been reported to have been corrupted, users of all platforms should check the hash values of all downloaded Monero binaries because they may have been switched from malicious versions.
The correct hash value of all Monero binaries can be downloaded on the official website: https://web.getmonero.org/downloads/hashes.txt.
“If you downloaded the binary file in the last 24 hours but did not check the integrity of the file, please do so immediately,” The Monroe issued a message. If the hash values do not match, do not run what you downloaded. If you’ve already run them, use a secure version of Monero Wallet to transfer money out of all wallets opened by your (possibly malicious) executable (we’re talking about online wallets that are safe – but check the hash). More information will be released and an in-depth investigation into the matter has been carried out. “
At 17:31 EST on November 19, Monroe issued an update warning that “the installation bag of the CLI wallet has been compromised in a short period of time”:
Yesterday, the GitHub issue about the hash value mismatch of this site was initially clear. A quick investigation found that the installation package for the CLI wallet had been stolen and that a malicious version was being provided. The issue is resolved immediately, which means that infected files appear only for a short period of time. Installation files can now be provided from another secure source. See the reddit post of core team member binaryfate.
It is highly recommended that anyone who downloads the CLI wallet from this website between 18:30 and 4:30 utah UTC on Monday to check the hash value of their binary files. If they don’t match the official file, delete the file and download it again. Do not run damaged binaries for any reason.
We have two guides to help users check the authenticity of binaries: verifying binaries on Windows (getting started) and validating binaries on the Linux, Mac, or Windows command lines (advanced). The signature hash can be found here: https://getmonero.org/downloads/hashes.txt.