YouTube player

Popular Open Source software Moq has broken user trust by quietly making changes that collects user email addresses. The popular software is distributed on the NuGet software registry and has been downloaded over 476 million times. The change was made in early August and included a dependency called SponsorLink. SponsorLink is closed source and contains obfuscated code which collects hashes of user email addresses. Those emails are sent to SponsorLink’s servers. The changes was made from version 4.20.0. In reaction, developers had threated to discontinue use of Moq in favour of alternatives, and building tools that would detect and block any projects that run SponsorLink. Even AWS, which had sponsored the project in the past has taken steps to distance itself from the project. The controversial change to Moq had been rolled back in version 4.20.2. However, user trust has already been broken and there remains a possibility of future re-introduction of similar functionality.

This segment was created for the It’s 5:05 podcast