technically, rug pulls arent really theft. I mean, they are, but legally, you bought a coin, with likely no promises, not even knowing who the dev is etc, thats on you. Your transaction getting interupted by malware is outright theft. I have a friend who had 100k stolen by a sim card swap, he contacted coinbase, and they contacted police, and they actually caught the guy.

 

dox-gate? what was that?

 

you can see everything this installer tries to do in Suspicious Package. https://mothersruin.com/software/SuspiciousPackage/

Suspicious Package shows about 2500 warnings on this one installer. File size mismatches, stuff that show it wants to use "admin" when it actually tries to get Wheel (root).

The version of "coreaudio.app" will not even run on Mojave. Certain files are obfuscated, like monitor.mom and monitor.omo.

With the comment above that sounds like "conspiracy theory" re: "dox-gate", it would not surprise me at all if they were related. It's the first thing I thought when I took this file apart. This looks like the work of the same skill level script kiddie. It's not a "stolen release" in the normal sense, with someone trying to gain money or credit for someone else's work. It's like someone melting a trojan server into MS Paint but made attractive to possible downloaders of Fabfilter plugins. (maybe even Team VR members themselves! lol yeah right).

Fabfilter has never done anything like this about their plugins being shared before. Consider the timing. Maybe keep your eyes open for some Windows attempt with something else.

 

...and those f'ers just reposted it....

I know the mods have to deal with whack-a-mole sometimes, and there aren't enough hands on deck to manually approve posts I imagine in a timely fashion, but there is a solution in need of finding here I think....

 

Another dodgy release... stay on your toes everyone. I think we need more vetting of uploads by new teams/uploaders now.

 

GMATIC eh? Good to know if I ever see any "releases" by that group for winOS to simply ignore em...

 

Thank you to the community for all the additional information.

I have a full backup of my system prior to the installation. I’m not sure if it a nuclear option to revert to that if I’ve simply removed the “CoreAudio.app”.

One earlier post indicated that simply removing the app would be OK and the only threat would be if one had transacted in crypto presumably after launching the dodgy app, due to the presence of a keylogger.

But another post indicates that there were 2500 warnings against the app when they inspected the package contents. Seems like there may be more to it than simple removal.

 

GMatic just posted Rev1 .. what a dick!

 

Good it wasn't a DOGE Coin stealer, my stuff is safe

 

While I would feel safe just deleting "CoreAudio.app" and the plugins; the reason why for me is because I do not have SIP disabled, and because I know my firewalls are not going to just allow something like that out to send any data ex: telemetry or passwords. I went through all the receipts and post-install scripts. The only one that calls Coreaudio.app is the post install script for Simplon.

But if I had a brand new time machine backup, i'd go back to it anyway.