[amipwndidunno]

Why the hell doesn't the article say WHICH plugins were affected so users can know if they were likely affected?

[kepano]

The specific plugins don't matter for this attack. The attack relies on the user accepting a shared vault and trusting the shared plugins. A shared vault can contain plugins that don't come from the official directory.

[deafpolygon]

It does.

> It enables malicious versions of legitimate Obsidian plugins ('Shell Commands' and 'Hider') that are present in the shared vault.

[lossyalgo]

Thanks! I also scanned the detailed article looking for which plugins were affected and wasn't able to find it. Came to the comments looking for a quicker answer.

[tredre3]

Because no plugin is affected. This isn't a supply chain attack. The headline is deliberately obtuse. Here's the breakdown:

1. Plugins are stored inside your vault.

2. If you open a vault from an untrusted source, it could contain custom/malicious plugins that will run things on your computer.

3. Then end.