供应链警报:Sipeed官方COMTools软件被标记为特洛伊木马
Sipeed是一家中国硬件制造商,专注于嵌入式AI系统、RISC-V开发板和边缘计算模块(如K210 AI加速器、MaixSense ToF摄像头、LicheeRV开发板)。他们在创客和嵌入式系统社区中相当有影响力。
我直接从他们的分发服务器dl.sipeed.com下载了他们的官方COMTools工具(用于设备配置的串行通信工具),该链接在他们的官方文档中提供。
多个安全扫描工具将其标记为特洛伊木马恶意软件:
- VirusTotal: https://www.virustotal.com/gui/file/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/detection
- Hybrid Analysis: https://hybrid-analysis.com/sample/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/690e6b0ff38090310e09c79d
比检测结果更令人担忧的是观察到的行为:
- 随机的cmd.exe进程定期生成
- 持续的后台活动
- 离线病毒扫描后触发的BitLocker恢复
- 可疑的网络连接
这超出了某些中国开发工具常见的误报行为(这些工具有时缺乏适当的代码签名或使用激进的系统访问)。
有两种可能性:
1. 供应链被攻击 - 他们的dl.sipeed.com服务器提供了被修改的二进制文件
2. 激进的误报(考虑到行为指标,这种可能性似乎较小)
我目前正在比较网站版本和他们GitHub发布的SHA256哈希,以确定是否存在差异。
如果这是一次供应链攻击,可能会影响嵌入式系统开发社区的相当大一部分,特别是那些使用AI边缘设备和RISC-V系统的开发者。
我已向Sipeed、微软安全部门和多位安全研究人员报告此事。HN社区中是否还有其他人使用过Sipeed产品,并能验证他们的COMTools安装?
被标记文件的SHA256:66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8
官方(可能被攻击的)来源:https://dl.sipeed.com/shareURL/MaixSense/MaixSense_A010/software_pack/comtool
查看原文
Sipeed is a Chinese hardware manufacturer known for embedded AI systems, RISC-V development boards, and edge computing modules (K210 AI accelerators, MaixSense ToF cameras, LicheeRV boards). They're fairly established in the maker and embedded systems community.<p>I downloaded their official COMTools utility (serial communication tool for device configuration) directly from their distribution server at dl.sipeed.com - the link provided in their official documentation.<p>Multiple security scanners are flagging it as trojan malware:<p>VirusTotal: https://www.virustotal.com/gui/file/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/detection<p>Hybrid Analysis: https://hybrid-analysis.com/sample/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/690e6b0ff38090310e09c79d<p>More concerning than the detections is the observed behavior:
- Random cmd.exe processes spawning periodically
- Persistent background activity
- BitLocker recovery triggered after offline virus scan
- Suspicious network connections<p>This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).<p>Two possibilities:
1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries
2. Aggressive false positive (seems less likely given the behavioral indicators)<p>I'm currently comparing SHA256 hashes between the website version and their GitHub releases to determine if there's a discrepancy.<p>If this is a supply chain attack, it could affect a significant portion of the embedded systems development community, particularly those working with AI edge devices and RISC-V systems.<p>I've reported to Sipeed, Microsoft Security, and various security researchers. Has anyone else in the HN community used Sipeed products and can verify their COMTools installation?<p>SHA256 of flagged file: 66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8
Official (potentially compromised) source: https://dl.sipeed.com/shareURL/MaixSense/MaixSense_A010/software_pack/comtool