[nstart]

This is a misleading headline. It makes it seem like another supply chain attack where some good plug-in was taken over and used to deliver malware. Thats not the case here. Victims are invited to collaborate on a synced vault which comes preloaded with a non official plug-in that delivers the rat. Very very different story

[deafpolygon]

What’s misleading?

"Novel Campaign Abuses Obsidian Note-Taking App to Target Finance and Crypto Professionals with PHANTOMPULSE RAT”

It’s novel (new), an abuse of Obsidian, specifically targeting a group of people.. and the RAT is embedded in the vault.

[kepano]

The headline on HN is different: "Obsidian plugin was abused to deploy a remote access trojan". It's not a plugin that was abused, but the ability for shared vaults to contain plugins.

[deafpolygon]

Isn’t that nearly the same thing? It depends on the presence of a particular plugin which was abused to run remote commands.

[kepano]

No. The attack does not depend on the presence of a specific plugin. The ones listed in the article are just the ones that were used in the POC. Any plugin could be modified by the attacker if the user trusts the attacker and accepts 1. the vault, 2. the shared plugins, 3. disables restricted mode.