When multiple people report your app release as having a keylogger, maybe don't get super defensive and actually investigate? They (two of the three lead devs) seem to just be repeating "that's not in the source code" over and over as if that excuses a supply chain compromise...
the maintainers' response and unwillingness to investigate or ask for more information is really disappointing. perhaps it's because they're hit by false positive fatigue? but, still... an odd conversation there.
It's scary how much of the software supply chain we assume is safe. We pull stuff off of GitHub, Docker Hub, npm all the time simply trusting the author isn't up to no good and that the source hasn't been compromised.
Redacted title. Maybe that's OK because the original title is really meaningless out of context. But at least it could mention Windows, as a Linux user I don't need to care.
(Not claiming that Linux is inherintly more secure in this aspect. Packages are typically installed as root and a bad package can have fatal consequences. The bug does not discuss whether their Windows installer is signed and who signed it.)
https://www.malwarebytes.com/blog/news/2016/09/transmission-...