Over the past year, there has been one major unforseen repercussion of the movie industry’s frivolous bullying of open source developers: security risks to Kodi users via the hijacking of deleted repositories.
Basically what’s going on is that copyright bullies like the MPAA and ACE are visiting Kodi addon developers and demanding that they delete their repositories immediately, or face legal action.
Regardless of whether the code at question is infringing or not, almost every developer immediately complies. Fighting a lawsuit against billion dollars companies who disregard the law when it’s to their own benefit is no simple feat.
What has ended up happening after the fact however, is that some unknown people have managed to “resurrect” these repositories by reregistering the deleted usernames on GitHub.
It turns out that as soon as a GitHub account is deleted, the username is immediately made available again to the public. And because of the way Kodi repositories update, this gives the new username’s owner carte blanche to push updates.
The most recent victim of repo hijacking has been none other than Mr. Blamo himself. He was visited by one of the big movie groups who offered him the ultimatum of agreeing to their terms and ceasing development; or be sued.
This whole situation has been quite disturbing because users of these compromised repositories could end up at serious risk if some form of malware were to be pushed.
Our investigation however, has determined that this most recent event appears to be the work of some ‘Kodi vigilante’ trying to keep Kodi users’ addons alive, since nothing malicious or monetizable seems to have been shared.
Whoever took over the MrBlamo420 GitHub repository seems to have pushed an unsanctioned fixed version of Exodus which has been floating around. This version just so happens to also include our Indigo tool as a dependency, although we strongly condemn these actions.
It is very important that users take particular care in which repositories they install. When in doubt, it is better to simply install the addon you need without its repository, so that you can be in control of updates. Either that, or disable automated updates within Kodi.
Rest assured, if you have our Indigo tool installed you have a degree of protection against malicious Kodi addons. It will automatically disable malicious plugins in the event that they are detected on your device.
In line with our policies, should something malicious end up pushed through Mr. Blamo’s abandoned repository, it will be disabled by Indigo without further delay. We do however strongly recommend manually disabling that repository immediately nonetheless.