Hello,
This is a security advisory to let you know that none of the Scissors infrastructure has been compromised as part of the recent fractureiser malware discovery. Scissors is hosted on the Plexus CI server and I have ran the script provided by Prism Launcher and no results came up. I will continue to monitor the server for any changes. Note that any Scissors jars you may have downloaded that were NOT from the CI server may not be safe as apparently this malware attempts to infect all .jar files. We recommend only downloading the latest version from the Plexus CI server.
Note that Scissors was hosted on a separate Jenkins instance until very recently. That Jenkins installation was not affected. Fleek's dedicated server was being used to build Scissors as the agent provided by Wild was almost always offline. I have checked Fleek's dedicated server and that was not infected either. As far as I am aware, official builds of Scissors were not impacted and I will continue to monitor the Plexus CI server.
Checking Scissors JARS
You can check the authenticity of Scissors JAR files using Jenkins.
Step 1. Go to the following link: https://ci.plex.us.org/fingerprintCheck
Step 2. Upload a JAR. You should see a page like this if the JAR is authentic.
If the JAR was not found in Jenkins, you will see this page instead
Note that JARs you may have downloaded from the CI server may not actually show up. This is due to moving Jenkins instances as of recent so older builds won't show up. The recommendation is to download the latest build from the CI server and discard any old builds, official or not.
