cross-posted from: https://sh.itjust.works/post/923025
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
So the take-away so far is that lemmy.world including admin accounts may be compromised. XSS attacks are being used, perhaps in a targeted, perhaps generalized fashion to steal session cookies which is pretty bad as it allows the attacker to gain the login session of any victims. In the case of an admin they could do anything an admin could which is pretty bad as far as being able to steal user information, plant further malware, escalate the attack, etc.
Do not visit lemmy.world, be wary of any and all links you click.
Saw a claim on hexbear that the instance doing the attacks is zelensky dot zip which is definitely something though what I don’t know.
You should be able to invalidate any active login sessions by changing your password.
https://pastes.io/f2avblo0ev
https://web.archive.org/web/20230710051744/http://zelensky.zip/
I had to use FireFox’s readability feature to even read the site. It’s like a ytmnd up in here.
Here is the raw text of and a link to an archive of zelensky dot zip.