Reporting potential abuse

(Matt Young) #1

Thanks to this community for creating such a great tool!

How does one report potential abuse by a contributor/cask?

I ran brew cask install sublime earlier today, thinking I’d get my favorite text editor. Instead, I installed an “app” by “Saluki Studios” that seems to have no other purpose than soliciting PayPal donations. Very sketchy!

1 Like
(Steve Peters) #2

It looks like that cask was originally submitted as sublime-subtitles in https://github.com/Homebrew/homebrew-cask/pull/15865 but was renamed to sublime during the review process?

(Matt Young) #3

Not sure what happened under review, but the cask embeds itself in the mac’s “applications” folder as Sublime. The app seems to solicit paypal donations, but nothing more.

It is so sketchy. When I first opened it, I had the sinking feeling that I’d installed ransomware.

(Franklin Yu) #4

Two more observation:

  1. It has never been really updated since it’s added initially. All the updates are things like homepage URL or DSL update.
  2. The homepage (https://salukistudios.com/sublime/) is now 404.

We might want to remove this formula? Or is there a “deprecation process”?

(Steve Peters) #5

This is what the website used to look like: https://web.archive.org/web/20151227025916/http://www.salukistudios.com/

(Claudia) #6

Thanks for your report and observations @mattalytics and @franklinyu.
Homebrew depends on vigilant users like you!

Looking at the analytics, the sublime cask has about 5,000 yearly installs. It’s difficult to tell how many of those installs are due to name confusion.

While I don’t have a strong opinion about removing the cask, 5k are quite a number.
No engines are currently reporting the binary as malicious.

I have just fired up Hopper to quickly reverse the binary. While the app does solicit PayPal donations, it doesn’t appear be malicious or deceptive; the code contained in the binary is consistent with the features it claims (drag/drop subtitle acquisition). The code reaches out to an XML-RPC service at https://api.opensubtitles.org.

@mattalytics Can you confirm the app does not work at all for you?

2 Likes
(Claudia) #7

Thanks @scpeters!

I see that the latest archive.org capture seems to be nine months old. That means the homepage is probably gone for good.

Due to lack of a homepage, I’ll gladly accept a PR that deletes the sublime cask.

1 Like