There is this plugin to integrate a serial console...
# intellij-pluginsd
Draget
02/18/2025, 7:10 PMThere is this plugin to integrate a serial console into IDEA: https://plugins.jetbrains.com/plugin/8031-serial-port-monitor
It is one of the several plugins that is published under the Jetbrains branding that does not publish any change-logs, which I had brought up two or three years ago, but whelp.
What my actual issue is: This plugin is receiving multiple updates per month, per week and in the recent days even sometimes per day. And even worse: The associated git repository does not have any commits since over a month: https://github.com/JetBrains/intellij-plugins/tree/master/serial-monitor
This does ring quiet a few security-related bells for me. Before I start bin-diffing and analyzing, does anyone know any possible explanation for this?
Draget
02/18/2025, 8:33 PM243.24978.60 -> 243.24978.74
The serial monitor jar inside the plugin does not really have any notable change.
But there is jssc-2.9.5.jar - where I found things like in the attached screenshot:
Draget
02/18/2025, 8:33 PMThe jssc library was not touched for over a year!
Draget
02/18/2025, 8:46 PMThe included osx_64 library does not seem to raise any flags with virustotal: https://www.virustotal.com/gui/file/51c93067f6af9cb88ab685cd990e7cc5da58aaff6daf5d0877834b31a7e40fbd/detection
It is also signed by Jetbrains.
Draget
02/18/2025, 8:47 PMStill, this all raises a lot of flags for me.
The included jssc has the META-INF with pom.xml for version 2.9.5 - which is two years old. Why the dynamic link libraries are changing between updates, is unclear.
Draget
02/18/2025, 9:13 PMIs the stable jssc release re-bundled with updates of the native library constantly and somehow the signing is changed at the same time?
I'd really like some insights to this, this also feels like a security issue.
Draget
02/18/2025, 9:14 PM(the plist might be just a deafult permission list for the apple sandboxing for a more recent build - not nessecarily means that the application gets these permissions. But I am not too familiar with the apple permission system)
b
bod
02/19/2025, 7:45 AMMaybe it's just a case of the CI automatically builds and publishes a new version every time there's a commit in the overall repo (even if it doesn't concern the plugin)
d
Draget
02/19/2025, 10:27 AMYeah, it might be tracking the dynamic library for some reason. The jssc dependency itself has a release-version of 2.9.5 (also in the pom), which itself did not change.
I do not know why one would auto-update the binary, dynamic library automatically without the Java dependency that uses it.
Draget
02/19/2025, 10:39 AMAh, I did not even realize that I am on the Kotlin Slack, not Jetbrain Slack. I'll report it over there.
Draget
02/19/2025, 10:40 AMOh, the official support page still links to the Slack which seems no longer active.
b
bod
02/19/2025, 10:44 AMyeah you're supposed to use the Discourse now since last week. (You should totally open a thread there about the official page not being up to date though)
d
Draget
02/19/2025, 10:48 AMOn it
👍 1
Draget
02/19/2025, 10:54 AMDone (the Support page issue)
And if anyone from your wants to follow up in the plugin issue: https://platform.jetbrains.com/t/unexplained-binary-change-in-jetbrain-official-plugin-potential-supply-chain-attack/590/1
👍 1
3 Views