alt.hn

5/10/2026 at 10:02:43 PM

Obsidian plugin was abused to deploy a remote access trojan

 https://cyber.netsecops.io/articles/obsidian-plugin-abused-in-campaign-to-deploy-phantom-pulse-rat/

by cmbailey

5/11/2026 at 2:03:37 AM

Obsidian CEO here. There is a major update coming soon for plugin security. I think it will address many of the concerns people have raised in this thread. It's a hard problem but we are working on it.

That said, the headline is misleading. This article is about a social engineering attack that requires the user to actively reject multiple safety warnings in Obsidian. As far as I know this is a proof of concept, I haven't seen any reports of users being affected by this attack.

by kepano

5/11/2026 at 2:05:10 AM

lol we told you plugins were insecure years ago. I distinctly remember getting flamed in your discord because I said that they had full disk access. Too little too late.

by ibash

5/11/2026 at 12:38:06 PM

The insecurity is part of the benefit. Obsidian being so open, allowing easy customizing is what makes it great. They should add some more bells, whistles and guards to prevent sneaky social attacks, but they can't close Obsidian all together, or it would kill the app.

by PurpleRamen

5/11/2026 at 5:09:45 PM

There's open, and then there's "full disk access, even outside the vault" open.

by fooqux

5/11/2026 at 6:35:57 PM

What do you propose? Even if they configure node's lowest level file APIs to block any access to paths outside the vault, plugins can still execute arbitrary shell commands who will have access to the entire OS.

And before you say it's useless and should be stopped too, well, that's a fine opinion! But then you lose plugins providing git integration, automated backups, document conversion using pandoc, etc. Many users might value that greatly.

A permission system for their plugins might be the only solution, annoying permission request popups and all.

by tredre3

5/11/2026 at 9:09:55 PM

That's a good point. I think I'd solve this in two steps.

0) scripts and plugins should only be able to operate on the text in the vault. Just like how I expect a snippet of JavaScript running in my browser to only have access to the website and not to my entire disk.

1) Any commands that run outside of this sandbox need to be approved first. Obviously this could get annoying, but there's tricks you could use here to help.

Obviously this is a high level approach and I'm not on their team, so this is basically armchair programming. But since you asked, it's okay. ;)

by fooqux

5/11/2026 at 7:09:57 AM

You better delete all third-party applications for they are having full disk access.

by enoch2090

5/11/2026 at 7:48:15 AM

Hello, 2010s called.

In 2026, applications, third or even first party, don't need to have full-disk access, and are not given either. They see a jailroot environment. I give full disk access to the terminal app, and a handful of others. 90% of them, nope.

At least that's the case in macOS, I'm pretty sure Windows can do that too. Linux of course has had such capability since forever, but I guess most distros you need to manually take care of it.

by coldtea

5/11/2026 at 10:50:09 AM

Sadly, Windows cannot do that. Every installed program has full disk access by default. It's very, very difficult to make it not so.

by andersa

5/11/2026 at 3:25:47 PM

https://learn.microsoft.com/en-us/windows/security/applicati...

by mfro

5/11/2026 at 6:29:07 PM

Microsoft has refused to allow any kind of persistence of these sandboxes making them absolutely worthless. Such a waste of an otherwise good feature.

by andersa

5/11/2026 at 5:15:17 PM

Windows Sandbox is not for persistent apps

by cachius

5/11/2026 at 11:58:02 AM

Windows has had that feature for 9 years. https://learn.microsoft.com/en-us/defender-endpoint/controll...

by TiredOfLife

5/11/2026 at 6:34:18 PM

This is implemented the wrong way around. Each program should only have access to its own folders by default, with it being possible to grant additional access. Also, I don't believe Endpoint stuff is included in the normal Windows license.

by andersa

5/11/2026 at 11:22:05 AM

AppContainer (e.g. used in uwp or msix)

by 0x073

5/11/2026 at 6:30:04 PM

Can you configure that as a user for an unsafe program you want to run such as an online game? I think not.

by andersa

5/11/2026 at 12:16:31 PM

Maybe it isn't built-in, but most Windows user I've worked with, including myself, have been using Sandboxie for probably two decades at this point, probably hard to find any Windows software that is more ubiquitous than Sandboxie in developer circles.

by embedding-shape

5/11/2026 at 6:33:05 PM

Sandboxie is essentially a giant pile of fragile hacks on top of a Windows API that does not want to be used this way. Does it seem like it works most of the time? Sure. Has it had bypasses? Also yes. I've used it in the past but I don't truly trust it.

by andersa

5/11/2026 at 9:41:07 AM

Interesting. Do I get this sandboxing out of the box when I install apps with Homebrew? Or do I need to do something specific?

Would love to enable this for all apps, and add exceptions for the ones that need more access.

I installed Lulu and BlockBlock recently, and want to do more to harden my Mac.

by eneveu

5/11/2026 at 10:11:06 AM

This hardening is enabled by default with Gatekeeper. That includes Homebrew apps, unless you disable it.

When an app tries to access something outside of its sandbox, you get a notification asking to approve or deny. Full Disk Access I think needs to be explicitly given on System Settings (Privacy & Security -> Full Disk Access).

by cassianoleal

5/12/2026 at 8:08:52 AM

That's probably all the hardening the average person needs. BlockBlock because most malware tries to get persistence. Little Snitch or LuLu for fine-grained whitelisting of network requests for any apps that have plugins (e.g. you give Documents permissions to Obsidian, plugins inherit that, but they can't exfiltrate if you only allow requests to trusted domains).

by concinds

5/11/2026 at 8:37:19 AM

I've never tried to do this or similar in Windows (obviously easy in unix-like environments) but I'm going to bet it's far more trouble than it's worth for 99% of users

by finghin

5/11/2026 at 9:34:39 AM

On macOS at least those 99% of users are probably installing from the App Store, where apps are sandboxed by default and need to explicitly ask for access to paths outside that sandbox. Even when not installed from the App Store a permission dialogue is popped if an application tries to read from sensitive paths like your photo library.

by jon-wood

5/11/2026 at 12:34:18 PM

Does that help in this case though? I think the worry is that a rogue Obsidian plugin does bad stuff with your Obsidian vault, not just do stuff to the rest of the computer. But that vault/those notes live in the same sandbox as the (rogue) 3rd party plugin, which doesn't help with that, they really need to be isolated away from the notes themselves.

by embedding-shape

5/11/2026 at 5:01:51 PM

Anything that reduces the blast radius helps. There should still be a focus on further hardening. Most value comes from exploits that enable pivots. Attackers will focus on other vectors that enable broader pivots because immediate high value notes only exist for a limited set of users.

by zerkten

5/12/2026 at 2:16:13 PM

In this case, no, not really because the plugin is running within the same sandbox. I was addressing the more general point in the grandparent post.

by jon-wood

5/11/2026 at 11:16:12 AM

For real security, operation should only be allowed after 24h of cooldown.

by silon42

5/11/2026 at 3:49:39 PM

User should be required to explain the situation to an older and a younger family member, and get permission from both of them.

by SamBam

5/11/2026 at 9:58:32 AM

In the scenario where you take care of it yourself the rogue plugin would not be an issue either.

I have no idea how to do that in Windows though.

by graynk

5/11/2026 at 12:42:33 PM

Yes you can sandbox Obsidian on the OS. The point they're making is nearly every third party program ships Without sandboxing. There's nothing special about Obsidian here.

by Capricorn2481

5/11/2026 at 3:35:25 AM

These types of problems usually only get fixed when it’s too late.

by stingraycharles

5/11/2026 at 5:00:41 AM

"Sorry we got caught" reactiveness.

by cromka

5/11/2026 at 1:35:34 PM

[dead]

by redsocksfan45

5/11/2026 at 6:29:42 AM

Lol it's a social engineering attack. What are you talking about. Don't run programs you don't trust, especially when being asked to do so by strangers on the line.

by yard2010

5/11/2026 at 10:25:24 AM

[dead]

by redsocksfan45

5/11/2026 at 7:57:02 PM

Obsidian is great. And glad to see how you’re looking at plugin security. But one more thing you should consider is: How do you reduce the need for plugins for basic product behavior. E.g., I use a plugin to be able to open a file in new tab instead of replacing current tab. That should be a setting, not a plugin I’m forced to use.

by sinatra

5/11/2026 at 9:36:09 PM

I don't understand the hate here. Obsidian is a well working product that scratches many inches. Plugins allow to scratch some more itches, but are not mandatory.

I am using several plugins and would prefer not to, but they allow me to bring the (mobile) app closer to what I want (notably templater and homepage as I want to get a new daily note sorted in monthly folders, which obsidian doesn't seem to allow natively).

Maybe an alternative would also be to more explicitly allow users to create their own scripts - but maybe that's possible and I just don't know.

Overall I think the key challenge with obsidian use is that it offers too much, and there's a lot to fiddle with. While it will bother the power users probably best would be to just move on many ways to "default" behaviours and e.g. make many of the "core plugins" just settings to make the list lsss overwhelming.

by goobatrooba

5/11/2026 at 11:39:09 AM

I don't know how hard it would be but IMHO adding some kind of permissions dialog(?) akin to Android would go a long way. 99% of Obsidian plugins don't need full disk access, or internet access for that matter.

by lossyalgo

5/11/2026 at 12:14:11 PM

That'd require some sort of sandbox, which they already seem to not want to have, for whatever reason. If you don't want that, and you want to use JS, building any sort of permission system on top of that that you cannot easily work around, gets really tricky if not impossible.

by embedding-shape

5/11/2026 at 5:48:12 PM

Obsidian stands beside the terminal and Firefox as one of the pieces of software I use the most every single day. Thank you for all you're doing.

-

I've read the article describing the attack, and my very first thought was utter surprise that the entire attack chain started with someone accepting a shared vault from a stranger via social media (linked in and similar). That seems really, really strange to me.

I've never shared a vault - but if I did, I'd probably do so as a git repo of markdown files.

It would be interesting to see a blog post from Obsidian about "good hygiene for sharing vaults".

by schaefer

5/12/2026 at 1:03:44 AM

Will that new security interfere with plugin functionality though? I can't really do without some of them, in particular selfhosted-livesync. It's not even that I don't want to pay you for hosting my notes, it's that I don't want them on somebody else's server even end to end encrypted. If I could pay and run my own official sync server I probably would.

by wolvoleo

5/11/2026 at 5:08:14 AM

Your product rules. Thanks.

by jesse_dot_id

5/11/2026 at 12:28:21 PM

Will there finally be an option to move the .obsidian-folder outside the vault and ignore them inside vaults by default even if plugins are activated?

by PurpleRamen

5/11/2026 at 4:46:59 AM

> actively reject multiple safety warnings

Is this like a popup? which most people actively accept without blinking

I think plugin/extensions should be a bit harder to run by default. I get the user friction from extra hurdles before using their plugins etc., but I don't think there is an actually safe way to execute arbitrary code, unaudited, without sandboxing, or other restrictions.

by hackermanai

5/11/2026 at 5:08:18 PM

It's not one pop-up. To fully replicate the concept you have to agree on three separate screens (and these are not in quick succession):

1. exit restricted mode to allow third-party plugins

2. trust the author of the vault that's being shared with you

3. trust the plugins being shared with you via sync

by kepano

5/11/2026 at 7:45:30 AM

The pop-ups and "social engineering" in question are things that any users in HN likely already accepted, which is to enable community plugins. These community plugins are the backbone of Obsidian and where a lot of the meat is behind its fame come from.

There's no protections beyond that, community plugins can do whatever they want. Thankfully, the vast majority of them are open-source.

by Daedren

5/11/2026 at 1:23:02 PM

I'm gonna push back against the "backbone of Obsidian" part. I'll argue that vanilla Obsidian is plenty powerful enough.

I know many people swore / swear by the datatables plugin, but now that Bases in core, you can get pretty far without it, no?

by kevinmgranger

5/11/2026 at 4:44:08 PM

I agree with you that vanilla Obsidian is plenty powerful, but it's exactly like Vim's case. It's good enough on its own, but there's always more.

There's countless articles and videos about various community plugins and even curated selections of them depending on your use case for Obsidian.

by Daedren

5/12/2026 at 1:11:01 AM

I can't do without the livesync plugin. And also copilot (connected to a locally hosted LLM of course) and readitlater.

by wolvoleo

5/11/2026 at 9:58:28 AM

As someone who doesn't use shared vaults - would the warning popup, 'to enable the "Installed community plugins" synchronization feature', not be on a per shared vault basis? Is trusting a single shared vault for plugin sync going to mean I sync my plugins for every shared vault?

IMO that's an issue in and of itself, but it doesn't read that way in the (very unclear) original article.

by rithdmc

5/11/2026 at 7:55:34 AM

This. Make it like a vim mode, input “I know what I’m doing” or even require some basic fizz buzz.

by wiseowise

5/11/2026 at 4:01:30 PM

I've been using obsidian for years as a paying customer. Will continue to pay as price point is good and it just works. However, unless plugin security massively improves I will never install any plugins.

by sneilan1

5/11/2026 at 4:30:26 PM

Obsidian is only seven people but we are working on this from all three angles:

1. Make community plugins less necessary over time as basic features become part of core

2. Improve the security of community plugins

3. Make it easy to create your own plugins that you can fully trust, e.g. with the recent release of Obsidian CLI

by kepano

5/12/2026 at 12:18:09 AM

If you can build in one thing, I'd pick something equivalent to Omnisearch. That makes it much easier to find things. I always struggle with the default search.

by sharps1

5/12/2026 at 1:08:28 AM

True the default search is really good at not bringing up what I'm looking for. It's the #1 improvement point for me.

by wolvoleo

5/11/2026 at 2:19:12 AM

Releasing the source code to the clients would also address many of our concerns.

by sebastienbarre

5/11/2026 at 2:32:07 AM

How would that make a difference for plugin security? Almost all plugins are already open source.

If you mean for the security of the app without plugins you can currently inspect the app's code in app.js and review third-party audits:

https://obsidian.md/security

by kepano

5/11/2026 at 11:02:50 AM

[flagged]

by foofloobar

5/11/2026 at 12:32:05 PM

This is pearl clutching. This feels like a massive overreaction. If you don't want to use it because it's not open source, that's fine, but you're spreading a lot of snarky FUD about the creators.

They are not making excuses, they stated clearly why open sourcing it is tangential to this problem at best, and they're not the only user to call out the hijacking of the thread. They have been quite clear about why they keep it closed source, so I don't know why you're making it sound like they are lying to their users.

Your rant about audits has little to do with the article too. Telling everyone we're going to get rug pulled is exactly the kind of performative FUD that is meant to get a reaction more than anything.

Speaking for myself, I'm going to keep using it, because nothing has come close to the convenience and performance. Would love an open source alternative to prove me wrong, but I haven't seen it.

by Capricorn2481

5/11/2026 at 1:20:11 PM

That's your opinion. I respect your choices and your opinions. I speak for myself. This is the first time I've seen this company's CEO post somewhere. I really couldn't trust this software less.

To be fair, when someone comes up with excuses for not making something open source, it comes off as dishonest. Be honest. Say that you want to keep it closed to keep control and make money. There's no need to say otherwise. I do the same. I keep code private to make money. I don't say more than that.

You'll see a plethora of such apps made with LLMs. People will write something custom to meet their own needs and to have the features they need.

by foofloobar

5/11/2026 at 1:40:16 PM

Consider a quick search. I have answered this question many times over the years, e.g. https://x.com/kepano/status/1701359669791670416

If you look at my GitHub profile[1] you'll see that the majority of my time is spent on open source. But my priority is open sourcing the tools and libraries I would want if I were building an alternative to Obsidian (Defuddle, JSON Canvas, Web Clipper, Importer, Flexoki, etc) because I believe all software is ephemeral and that files matter more than apps[2].

Obsidian is a free app made by seven people. If we were purely financially-motivated there are many levers we could have pulled, e.g. adding feature gates, not allowing alternatives to our paid services into the official directory, etc. But as I wrote in the tweet linked above, I have spent decades making open source projects and those have never paid the bills. So yes, there is some financial motivation behind that decision.

[1]: https://github.com/kepano

[2]: https://stephango.com/file-over-app

by kepano

5/11/2026 at 2:23:41 PM

I've read your twitter post. That makes sense. I've read a blog post or some kind forum thread in which it was said that the maintenance of Obsidian as an open source project would be an issue and some other similar statements. This was a while ago.

Some are OK with the use of a closed source note taking app. Perhaps an enterprise version with a different feature set might be useful to companies.

For notes written on my own computer, I use open source software to write and handle the sync myself.

by foofloobar

5/11/2026 at 1:40:31 PM

> when someone comes up with excuses for not making something open source

This is a wild take even coming from HN. Nobody needs an excuse to not make something open source.

This sort of entitlement does, and has done, far more damage to the OSS movement than anyone's "excuses" for not open sourcing their code. Full stop.

You can absolutely prefer open source software and choose not to trust closed-source apps. That’s all fair. But treating closed source itself as evidence of deception or impending betrayal is exactly the kind of ideological purity test that makes these conversations exhausting.

by prsimp

5/11/2026 at 2:10:43 PM

You've got it backwards. It's the fact that long arguments were written against making it open source that have determined me to make that statement. You don't have to provide an argument for not making it open source. It's the fact that arguments were made against making it open source or at least source available.

The business model is obvious. Sell the sync service.

Either way, that's your opinion.

by foofloobar

5/11/2026 at 12:25:14 PM

"Oh, please, say you want to keep it closed source because you're afraid you'll lose money and control."

That's not good enough for open source zealots. That's when you end up being the headliner in an endless flood of blog posts and detailing comments telling everyone you're a 'proprietary evil man'. It's open source or nothing. And how dare you make money.

by GlacierFox

5/11/2026 at 9:14:44 AM

you’re basically hijacking this post. this is almost entirely irrelevant. CERTAINLY highly tangential.

by UqWBcuFx6NV4r

5/11/2026 at 7:24:30 AM

LMAO. That won't happen in a million years. They are bending over backwards not to give proper file access on iOS so they can sell subscriptions. Do you think they would do such a crazy thing? I bet you my life savings it won't happen.

by system2

5/11/2026 at 11:49:36 AM

They are being roasted in the comments because they give file access to the plugins, now they are bad because they don't give file access. There is no winning lmao

by poulpy123

5/12/2026 at 1:28:42 AM

I O S.

I O S. APPLE ECOSYSTEM. MOBILE STUFF.

by system2

5/11/2026 at 3:23:11 PM

> multiple safety warnings in Obsidian

Idk, I've always thought it was odd that the "community plugins" settings pane seemed more concerned with assuring the user that community plugins were fine than actually explaining the risk.

There is literally a single sentence about the fact that plugins "may cause data integrity and security issues", and it is hedged with the mealy-mouthed modifier "like any other software you install". The absolute majority of it - maybe 80% of the text by window height - is about the measures Obsidian does to vet and secure plugins. All of it appears to be written with the intent to placate any concerns.

Is this the safety warning? The screen that says that community plugins could cause issues "like any other software", but they're actually super safe and vetted and totally fine? Is it surprising that a person, faced with a screen like this, would be susceptible to a social engineering attack?

by troad

5/11/2026 at 3:33:36 PM

To replicate this attack you have to also reject two more safety warnings. The user has to accept a shared vault (you have to click "trust author of this vault"), and you have to activate syncing remote plugins.

by kepano

5/11/2026 at 3:41:10 PM

The first safety warning assures the user that "plugin security is important to [Obsidian]". That Obsidian plugins undergo initial code review by Obsidian themselves. That "many" plugins are open source and that Obsidian has a "large community of developers who watch out for each other". (At this point I'm not sure how this screen even qualifies as a safety warning. Seems more like a billboard for enabling plugins?)

Given that vaults are just Markdown documents, and plugins are so safe (or so Obsidian seems to claim), why should a person feel at all concerned clicking yes to these prompts? Is it still a social engineering attack when the app appears to encourage you along the way? Are these even safety warnings, or just (vaguely encouraging) confirmation dialogs?

I don't see how Obsidian should come off as completely blameless here. They've always tacitly encouraged this wild west plugin ecosystem, because it's an obvious generator of value. They don't get to absolve themselves of any responsibility by pointing at safety warnings, when those "safety warnings" spend (far!) more time explaining why the user might want to click "yes" than "no".

To be clear, I like and use (and pay for!) Obsidian. But the design of Obsidian plugins was clearly broken from the beginning, and the official messaging around them has always been more encouraging than wary. This sort of event is an absolutely inevitable consequence of those decisions.

by troad

5/11/2026 at 4:23:25 PM

You're looking at a different screen than the ones required to replicate this attack. To replicate this attack you have to agree three separate times to increasingly scary messages.

Yes it would be good to make it less easy to shoot yourself in the foot. However, I believe users should be in control. People should be able to do powerful things if they choose to. But that will always come with the risk of misuse or social engineering.

by kepano

5/11/2026 at 6:02:10 AM

Get real, kepano. You’re overestimating the consciousness of most casual users. Having godmode, RCE-capable plug-ins behind few safety warnings that most people will happily ignore to get shit done is not good engineering. I understand the constraints. In your shoes I would at minimum make a different version of the app in which you could allow these plug-ins and not put them under trivial banners within the canonical version of the app. You say you have banners, but these sit in the natural flow of the user journey, the options are clearly available and these banners are merely to exempt you from any liability, not to protect the users.

by pilgrim0

5/11/2026 at 6:26:11 AM

Chrome gutted extension capabilities for safety and now it is so useless, politically unwanted extensions have "lite" versions and every big project and their dog ship their own chromium browser.

I use Obsidian because it does not treat me like a child. They can add more nags and banners for normies, but the capabilities should remain.

by fwn

5/11/2026 at 2:48:23 PM

I have to agree. You can keep pulling that logic back another step (and that seems to have been happening for many steps now) to the point that you no longer have the ability to use the computer.

This can't be dismissed as "slippery slope" logic either. Should elderly people with a bank account be allowed to use a computer? They might read something online and give their savings to a scammer. Frankly, that's a far more convincing argument than the one given here. There's only one solution if your objective function is exclusively to minimize the possibility of a security incident.

by bachmeier

5/11/2026 at 9:16:06 AM

[flagged]

by UqWBcuFx6NV4r

5/11/2026 at 11:08:19 AM

Whoa there, am I missing something, why so aggressive and immediately with the ad homs?

I think by that logic dangerously-skip-permissions and openclaw should've never been a thing. I agree that people use them too liberally, but I think at some point you have to find a balance between systemic safety risks and individual freedom.

by Bigpet

5/11/2026 at 9:46:05 AM

> Tags and banners do not work. Completely understandable that someone as dismissive and seemingly isolated as you wouldn’t understand that.

One can reduce every tool to a toy and justify it with some hand-wavy security slop, but removing capabilities destroys use cases.

The ability to control your tools is good. You should be able to run anything on your devices. Therefore, those who propose the toyification of tools should carry the burden of justifying the change.

The same infantilization of users currently happens with Signal, where high-level decision makers are asked by strangers to share their deepest secrets. Since these strangers introduce themselves very nicely, users start blurting out their secrets. ... now everyone is pretending this is a Signal problem. It is not. The world is not a kindergarten and people have agency.

A good compromise is to set a safe mode as the default and include an option that lets users confirm they know what they are doing. Obsidian already does this. Given that, I do not understand why anyone would demand to make the entire tool worse.

I wonder: What level of user effort would make you comfortable with users exiting safe modes? Would you want users to be able to run software with full permissions at all?

by fwn

5/11/2026 at 5:17:10 AM

Since we have your attention here, let me go on an unrelated note and ask whether you could look into Noteplan's workflow and see if you can add some of the required functionalities to enable replication of its workflow (https://help.noteplan.co/article/160-weekly-planning)?

Plugins like Tasks do offer a Query functionality that allows me to list e.g. weekly tasks on my daily template, replicating most of Noteplan's workflow, except Noteplan relies on being able to easily link those tasks into daily template by drag and dropping them, which internally assigns a unique but hidden by default ID in ^129abz notation (https://help.noteplan.co/article/138-synced-blocks). The latter is already supported by Obsidian, it's just not as "clean" and, AFAIK, impossible to get done when drag and dropping.

by cromka

5/11/2026 at 1:18:25 AM

I really like Obsidian. I use it every day and I don't use any community plugins because the permissions aren't up to snuff. I hope for a day where a plugin defines what it will need and that gets presented to me as a user.

I have to imagine the Obsidian team is going to respond seriously to this and I look forward to seeing what they do. They have my full confidence. I'm surprised the system was initially designed as it is without those better permissions and sandboxing, though.

by jjice

5/11/2026 at 8:31:04 AM

I started using it too when I got sick of using VS Code to look at md. Glad I never had the need to install any plug-ins! Very poor form on their part from what I can tell.

by BrissyCoder

5/11/2026 at 11:40:40 AM

Just wait until you want to create a simple table with ADD/SUM.

by lossyalgo

5/10/2026 at 10:28:04 PM

> The victim is prompted to enable the "Installed community plugins" synchronization feature.

Obsidian has the proper protections in place to prevent this type of attack, and the victims are being convinced to ignore them. This is just a successful social engineering event. I hate to see Obsidian dragged down by this headline, since this attack is not exploiting a vulnerability in it or its plugin system.

by slowmover

5/10/2026 at 11:09:29 PM

Ehm. No? https://obsidian.md/help/plugin-security#Plugin+capabilities

>Due to technical limitations, Obsidian cannot reliably restrict plugins to specific permissions or access levels. This means that plugins will inherit Obsidian's access levels. As a result, consider the following examples of what community plugins can do:

    Community plugins can access files on your computer.
    Community plugins can connect to internet.
    Community plugins can install additional programs.
Obsidian has no protection at all. Installing a plugin gives it full access to your computer.

This was only a matter of time, and honestly I think it's inexcusably negligent that they shipped a plugin system like this at all since about 2010 (or arguably much earlier).

by Groxx

5/10/2026 at 11:21:17 PM

It does give full access but Obsidian does tell you that. Community plugins are not enabled by default, you have to enable them manually. Same happens with a shared vault: once you get it you still have to manually enable plugins. So far no one managed to sneak in a plugin completely unnoticed.

by pointlessone

5/10/2026 at 11:35:50 PM

That's horse hockey. Obsidian is not a usable system without community plugins.

Folks will reply "but I use it every day without plugins".

That position disregards software usability as a formal discipline, along with decades of UX research and standards.

by kid64

5/11/2026 at 3:16:17 AM

If you want to use a niche, academic definition of "usable", that's fine but you better be ready to explain yourself.

Because in general, "usable" means "people use it". Which they do for Obsidian without community plugins without issues.

by wasabi991011

5/11/2026 at 3:29:28 AM

To make an actual counter, you need numbers. If only a tiny niche of users use it without community plugins, then yes, it's unusable (in a practical definition of the term)

by eviks

5/11/2026 at 9:45:16 PM

If that's so, then without numbers, it's neither usable nor unusable.

by joemi

5/12/2026 at 6:32:59 AM

Indeed, if you don't know anything about use, you can't say much about usability.

by eviks

5/10/2026 at 11:39:10 PM

The attack here requires not just enabling community plugins, but also syncing the attacker's vault to your computer, and also separately enabling the synchronization of the attacker's plugins with yours.

by ImPostingOnHN

5/11/2026 at 12:47:05 AM

Yes, in this specific case.

Obsidian Plugins are still incredibly vulnerable. A compromised plugin will essentially take over your machine. There's no sandboxing of any kind. It's even more insecure than browser extensions (that could steal your auth tokens, but at least don't have unfettered access to your filesystem).

This is really unfortunate. I love Obsidian and am a paid subscriber for many years, but the community plugins needs a security overhaul asap, before someone gets hurt.

by guiambros

5/11/2026 at 1:39:46 AM

The same is true for all software on your machine.

by Ferret7446

5/11/2026 at 2:35:55 AM

Not even slightly. Browser extensions are a trivial counter-example, as are all flatpacks, and anything restricted by user/group. That covers probably literally a majority of all software on your computer, because people have been voluntarily restricting their software to protect you from their potential accidents for decades.

by Groxx

5/11/2026 at 9:05:03 AM

In practise, Flatpak packages have many more permissions than you might expect, and the sandbox feature gives a false sense of security. For example, the Obsidian Flatpak package [0] is given all of the following abilities without explicit permission from the user (the user has to know where to look to find out about them):

- Home folder read/write access

- System folder media

- System folder mnt

- Microphone access and audio playback

- And more...

The Obsidian snap [1] is installed with the --classic flag, which also grants access to the whole home directory, but at least you have to consciously specify the --classic flag to grant this permission.

[0] - https://flathub.org/en/apps/md.obsidian.Obsidian

[1] - https://snapcraft.io/obsidian

by Flimm

5/13/2026 at 2:46:17 AM

fwiw blocking access to anything except my notes folder (and denying internet, among other things) is my very first step when installing Obsidian. Flatseal makes that quite simple.

Flatpak could of course be significantly better... but it's still a massive step in a better direction.

by Groxx

5/11/2026 at 3:21:01 AM

> That covers probably literally a majority of all software on your computer

If you're running GNU/Linux, chances are you'll have hundreds, if not thousands, of pieces of software that run totally unsandboxed.

Yes, a very small minority of applications are unfortunately primarily distributed via flatpak or snap, and the distributors don't care about the user experience, so it's error-ridden and problem-ridden, but chances are you can get a "normal computer program" version of it unencumbered by such grossness.

by ImPostingOnHN

5/11/2026 at 3:32:23 AM

And tons won't be part of e.g. root, or dialout (to pick one I've had to deal with a lot lately), or many other more-privileged-than-default groups, yes. That's a permissions system working as intended.

Besides. They said "all software on your machine". That is trivially false, to a significant degree.

by Groxx

5/11/2026 at 4:12:57 PM

I was pointing out that the claim that "literally a majority of all software on your computer" runs sandboxed is also trivially false, to a significant degree

by ImPostingOnHN

5/11/2026 at 7:33:03 PM

A majority have more access controls than obsidian plugins, yes. I think that's fairly safe to say, given that new system installs often have hundreds of processes already running.

Sandboxing, at least in the sense of easily configurable access with default deny on most even somewhat sensitive things: agreed, sandboxing is fairly uncommon in general, definitely not a majority on most systems. When ignoring the elephant in the room: mobile OSes.

by Groxx

5/11/2026 at 7:58:32 PM

> A majority have more access controls than obsidian plugins, yes

A majority run as me, a minority run with root privileges.

> I think that's fairly safe to say, given that new system installs often have hundreds of processes already running.

Precisely! Those hundreds of pre installed processes are running without sandboxing, or any access control beyond what Obsidian has.

For example, did you know you can just `ls` a directory, or `cat` a file, and both of those applications will run with full, unsandboxed, unrestricted access as you? And there are countless preinstalled applications just like those.

by ImPostingOnHN

5/11/2026 at 11:40:10 AM

> flatpacks

flatpacks have access to all my files, they would be useless without. And they are the only sensitive files in my computers

by poulpy123

5/11/2026 at 1:00:30 PM

So in other words, yes the apps have full filesystem access unless you specifically sandbox them with the OS.

by Capricorn2481

5/10/2026 at 11:50:20 PM

As one of those people that uses Obsidian without plugins, what plugins do you consider essential?

by Loocid

5/11/2026 at 1:43:48 AM

I rely on Advanced URI, which opens certain functionality up to external apps. I use Raycast and with Cmd+Space, it lets me open vaults or daily notes. And Obsidian_to_Anki, but that's probably just me because I have no clue how to use Anki otherwise.

by fnordlord

5/11/2026 at 1:30:29 PM

Yeah, I don't use any community plugins. I take notes in obsidian. And it turns out, having multiple years worth of notes and todos in a tree of crosslinked markdown files is pretty handy in this AI era. I take notes in obsidian and run the Gemini cli from my vault. Works a treat.

by pfooti

5/11/2026 at 11:41:45 AM

An ADD/SUM feature on tables was the first plugin I installed. It could be argued this should be part of the TABLE but I guess the dev team has a lot on their plate not to mention I'm not even sure if there's a feature request for this ability.

by lossyalgo

5/11/2026 at 1:51:32 AM

Me too.

All I want is a top-notch Markdown editor with a mobile app and trustworthy sync, and that's what Obsidian gives me. And if ever Obsidian goes away or is enshittified, I'll still have a perfectly good folder of Markdown documents that I can take elsewhere.

by troad

5/12/2026 at 1:13:16 AM

For me these are the self hosted livesync, copilot and readitlater for better web clippings.

I really don't want my notes on other people's servers so the official sync will never be an option unless they enable that to be self hosted as an option.

by wolvoleo

5/11/2026 at 1:12:21 AM

Same here, zero plugins for me.

by cpach

5/11/2026 at 1:14:21 AM

But I use it every day without plugins.

Seriously though, I agree with your sentiment that community plugin security can and needs to be improved, but how does someone saying they use it every day "disregard software usability as a formal discipline, along with decades of UX research and standards"

by jjice

5/11/2026 at 11:01:16 AM

> Obsidian is not a usable system without community plugins.

It's horse hockey. Plenty users use the vanilla Obsidian.

> Folks will reply "but I use it every day without plugins".

Because they do. You're saying that they should lie about their usage to fit your narrative?

by raincole

5/11/2026 at 12:46:03 PM

> Plenty users use the vanilla Obsidian.

They are irrelevant for this dispute, because these problems do not concern them. And the amount of people using plugins because of some real demand is not low.

by PurpleRamen

5/11/2026 at 1:16:59 PM

What dispute?

The parent comment says that Obsidian is not usable without plugins and it's simply nonsense. It would be very charitable to call this a "dispute."

Could Obsidian handle plugin permission better? I guess so. But that doesn't mean the users have to use plugins. It's ultimately the user's choice. Blender has zero security guards over the addons besides the OS's and the ecosystem thrives. So does Minecraft. These communities are essentially "arbitrary Python/Java code goes brrrr."

by raincole

5/11/2026 at 1:26:03 PM

> What dispute?

The discussion about the plugin-system, and the people who need it to which degree.

> The parent comment says that Obsidian is not usable without plugins and it's simply nonsense.

Sure, fair. But the comment happened in the context of talking about the plugin-system, and parent comment seems on the side that for them obsidian is worthless without plugins. Saying that other people have no need for them is pointless, because they are not in the picture. Phrasing could indeed be better, but talking about people who are not concerned by the problem is not really adding anything to the discussion.

by PurpleRamen

5/11/2026 at 6:35:58 PM

I think if the wording had been something like "I, one person out of billions, personally find Obsidian to be unusable without plugins", there probably would have been no disagreement and this discussion would be moot.

The disagreement was because the actual claim made was far broader, and in that far broader context, opposite to reality. We can assume good faith and an honest mistake in wording, but we can also forgive respondents for reasonably taking the words at face value.

by ImPostingOnHN

5/10/2026 at 11:53:33 PM

I think that's especially important to point out because it reminded me of a blog post by Obsidian that also was discussed here[1], where they talked about reducing supply chain risk by not relying on dependencies, but people quickly pointed out that this is only possible because users depend so heavily on extensions. Just look at that top comment and here we are now.

This combination of software relying on third parties without security seems to be untenable. Personally I've gotten rid of just about as many extensions as I can anywhere and switched to batteries included software.

[1]https://news.ycombinator.com/item?id=45307242

by Barrin92

5/11/2026 at 4:00:45 PM

Using it daily without plugins is, by definition, a "usable system".

by jpk2f2

5/10/2026 at 11:47:55 PM

Yeah, but these attacks are possible without any of that complexity.

by kid64

5/11/2026 at 12:52:25 AM

The real problem is people believing "plugins" are not full software.

If you install a dozen mini-apps from random developers you never heard about, you can't complain if one is malware.

Krita also has a plugin system based on Python. Any "plugin" has the same level of access as running a python script.

Personally I blame operating systems for not providing a way to isolate how programs interact with user files.

by AlienRobot

5/11/2026 at 3:40:11 AM

Krita: that is a decision by Krita(/GIMP) and not anything inherent in "plugins" or "python" - it could be a bubblewrap/firejail contained process, for example (other OSes have similar-ish options but there's always something, e.g. don't use cpython). They have chosen to continue to put their users at risk by not doing anything at all like that.

There are of course complications, costs, and downsides associated with doing that. It might not be worth it currently, or performance costs might be too high, or the community might be overwhelmingly using abandoned plugins that won't be updated, etc. It's still a decision to remain complacent until forced by attacks though, it's well beyond common knowledge that these things happen so you can't really call it ignorance.

by Groxx

5/11/2026 at 1:13:05 AM

Software engineers at large would benefit from playing World of Warcraft, and seeing the ongoing fight between Blizzard and add-on authors.

WoW's whole UI is built in the same Lua environment as add-ons, and Blizzard has implemented some interesting restrictions (like the taint system[0]) to prevent add-ons from completely automating gameplay.

0. https://wowpedia.fandom.com/wiki/Secure_Execution_and_Tainti...

by pdpi

5/11/2026 at 1:23:25 AM

World of Warcraft is one of the most popular MMO's ever made.

You simply can't expect every software that wants a plugin system to have the same security practices as the most used software in the world.

In fact, there are many reasons why you might want a plugin to have full filesystem and internet access, such as batch processing or simply adding things directly from webpages. Sandboxing this will just make plugins less useful.

In the end it's a problem of trust. You're installing software from untrustworthy developers because you trust the name of the application those plugins are associated with.

You could fix the problem in Obsidian, but the same problem will happen in other software. Some of which simply can't justify bothering with sandboxing plugins. This is just the way plugins are.

by AlienRobot

5/11/2026 at 2:20:11 AM

> You simply can't expect every software that wants a plugin system to have the same security practices as the most used software in the world.

I'm not saying that I think they should, or that I expect them to. I'm saying that it's one particular implementation of sandboxing that has a bunch of interesting properties, and that makes it worth studying.

by pdpi

5/11/2026 at 3:01:27 AM

Thanks! I've been meaning to read up on taint systems, looks interesting :)

I'm somewhat convinced that taint-influenced capabilities is a good future model to pursue. Computers are fast, I'm fairly confident that it chould be done at whole-computer scale and still be reasonable... though probably not with a million electron apps. Which is likely a good thing in aggregate (I say as a fan of web tech and the very compelling features such things offer. Great for minor or PoC, not for major pieces of software).

by Groxx

5/10/2026 at 11:31:46 PM

"Hey users: don't do insecure things. Here's a button to do cool insecure things!" is not a plugin security model.

by Groxx

5/11/2026 at 1:41:43 AM

Meanwhile that is exactly what a lot of people here want for Android with side loaded apps

by Ferret7446

5/11/2026 at 2:06:40 AM

I'm not sure I agree or understand where you're coming from. Side-loaded Android apps are still bound by all the same permission restrictions as any app installed by the Play Store. The only difference is Google didn't review it (for what little good that does) and that I didn't get the app from Google.

If I side-load a camera app, it still has to ask for camera privileges the same way any Play store app does.

Is there something in your message I missed about how it relates to this article or is this just being uninformed about side-loading?

by eightys3v3n

5/11/2026 at 2:38:24 AM

Sideloading bypasses nothing at all except Google's thumbs-up, Android's permission system doesn't work that way.

by Groxx

5/10/2026 at 11:46:59 PM

A program one runs on one's computer can and should be able to do computer things. The alternative road you're advocating for ends in hardware attestation https://news.ycombinator.com/item?id=48086190

by moron4hire

5/11/2026 at 6:16:07 AM

There are in-between models, such as:

* Android's permissions model where the user must approve specific potentially undesirable classes of actions (separate from the 24H delay, etc controversy)

* Optional sandboxing

by no-name-here

5/11/2026 at 5:54:18 AM

I remember reading that page sometime pre-COVID, and being surprised at just how ridiculous it was. It started strong with “The Obsidian team takes security seriously”, but then almost everything else on the page led me to believe they didn’t actually take security very seriously.

I agree with the claim of negligence. I think they were more than happy to reap the benefits of a thriving community plugin ecosystem, and were hoping this page would provide enough CYA when security breaches inevitably occurred.

> TIP: If you're working with sensitive data and wish to install a community plugin, we recommend that you perform an independent security audit on the plugin before using it.

I wonder just how many plugins received a security audit.

by e28eta

5/11/2026 at 7:18:35 AM

I use only one plugin because I am aware of the security model (or lack thereof). I only use one because I read the source and am convinced it’s safe. It would be foolish to blindly install many plugins.

by nkrisc

5/11/2026 at 5:51:13 PM

Agreed, but also they prominently feature that they support plugins. Currently it's the second paragraph on the home page: https://obsidian.md/

They're trying to get all the benefits while pushing the extremely-obvious-to-them downsides into subpages. Not hidden, but not shown along-side the feature. It's intentionally misleading for non-technical users.

by Groxx

5/11/2026 at 12:01:34 AM

Obsidian seems like a perfect candidate for a WASM/WASI based plugin system that would properly sandbox plugin code.

by Paul-E

5/11/2026 at 12:55:20 AM

For at least the vast majority, yes definitely. I'm fine with full bypasses existing (say a webgl thing, or web previews, custom VCS integration, there are tons of legitimate reasons to escape a sandbox), but they should be an abnormality with heavy warnings and proportionate community attention to watch for issues, not the only option.

I don't think they meant it this way, but I honestly consider unsafe official plugin systems to be negligent to the point of being actively malicious. By releasing one, if you ever become successful you have explicitly chosen to screw over an unknown number of your users to save yourself a relatively small amount of work in the short term. It might be single digit users, or it might be septuple digit users - is it really worth it?

(Unsafe unofficial plugins, like most games? Mildly unfortunate but I think that's fine. Though a healthy modding community around your stuff should be a VERY STRONG sign that you should introduce a safe version to protect your users, if it won't cause you to implode (it definitely can)).

by Groxx

5/11/2026 at 12:52:49 PM

Has WASM/WASI DOM-access? When I last read about the architecture, there was a strict separation between WASM, Javascript and the app, but also a movement to allow UI-customization from WASM-space. Many Obsidian-plugins are adding heavy UI-changes, so without that, it would be kinda pointless.

by PurpleRamen

5/13/2026 at 2:52:34 AM

Not generally / as many would hope, but that's partly because both WASM and WASI are not targeting being a full javascript-in-browser replacement - they're lower level, larger APIs are built on top, not defined by them. It's fairly easy to build an unsafe and unstable DOM access layer (a little bit of eval or string key accessers), but the web changes rapidly and isn't a stable target - exposing that in a stricter environment is tricky, and no one approach is likely to solve all needs.

by Groxx

5/11/2026 at 4:37:09 AM

Seems like the same risks of downloading plugins/packages for various text editors.

by hirvi74

5/11/2026 at 11:37:48 AM

> Community plugins can access files on your computer. Community plugins can connect to internet. Community plugins can install additional programs.

That's what make obsidian plugins useful. It it's just for having themes , there is no need for them

by poulpy123

5/10/2026 at 10:32:32 PM

Right, I'm a heavy Obsidian user myself, and love it.

I think the value of this disclosure is more in spreading awareness about plugins, and demonstrating the vector. Where less sophisticated users may think, "Oh, this is just a collection of markdown files. I don't need to be too worried about malicious code."

by cmbailey

5/11/2026 at 1:41:32 PM

This is a misleading headline. It makes it seem like another supply chain attack where some good plug-in was taken over and used to deliver malware. Thats not the case here. Victims are invited to collaborate on a synced vault which comes preloaded with a non official plug-in that delivers the rat. Very very different story

by nstart

5/11/2026 at 2:06:07 PM

What’s misleading?

"Novel Campaign Abuses Obsidian Note-Taking App to Target Finance and Crypto Professionals with PHANTOMPULSE RAT”

It’s novel (new), an abuse of Obsidian, specifically targeting a group of people.. and the RAT is embedded in the vault.

by deafpolygon

5/11/2026 at 2:20:39 PM

The headline on HN is different: "Obsidian plugin was abused to deploy a remote access trojan". It's not a plugin that was abused, but the ability for shared vaults to contain plugins.

by kepano

5/12/2026 at 3:37:35 PM

Isn’t that nearly the same thing? It depends on the presence of a particular plugin which was abused to run remote commands.

by deafpolygon

5/12/2026 at 4:09:30 PM

No. The attack does not depend on the presence of a specific plugin. The ones listed in the article are just the ones that were used in the POC. Any plugin could be modified by the attacker if the user trusts the attacker and accepts 1. the vault, 2. the shared plugins, 3. disables restricted mode.

by kepano

5/11/2026 at 5:12:53 PM

I don't know when Obsidian gathered the hate I'm seeing here, but 'bad plugins' is a failure mode of most everything that has plugins.

Personally it feels similar to being mad at Windows if you were to install an exe someone emailed you and it turned out to be a virus.

You can install bad chrome plugins, bad wow addons, basically anything that's purpose is to run user code can be used to run bad code.

Personally I'm glad the _note taking app_ prioritized allowing for custom plugins over pushing back features so they could spend an extra year locking down user plugins. They can put some additional effort in but running unknown code will always be a risk.

by ApolloFortyNine

5/12/2026 at 2:00:42 PM

There is no architectural limitation that makes it impossible for a plugin to not have full filesystem access.

The fact that creating a good plugin system is difficult does not give them a free pass to not implement a good one, it is a for profit company that has a considerable revenue.

by brazukadev

5/11/2026 at 3:26:20 AM

What are the reasons behind the fact that almost all of these plugin systems are so poorly engineered? Is it too much work (ie, there are no good plugin development frameworks that already enable proper isolation/permission capabilities) or "simply" a widespread lack of knowledge of what is needed, so devs learn only after their own system has been abused? Both? Something else?

by eviks

5/11/2026 at 12:58:41 PM

At the core, there is the tradeoff between ability and security. You can give the users power and enable them doing fancy shit, or you can make it secure, stripping any meaningful ability. Usually, people prefer ability over security.

The other problem is that security is hard, and just giving generic access and adding some basic guards is simple.

by PurpleRamen

5/11/2026 at 2:28:04 PM

The first trade-off is not precisely stated, you can do "both" with user choice. In this case it would be: no plugin has "all filesystem access" unless user explicitly approves it, and that approval steers the user to a very narrow "plugin folder only" path by the way UI is done. Think this is "secure by default"? You don't undermine any ability here because most plugins don't need any filesystem access, so you get extra security "for free" for most of the users and with only some friction (but still not removing the ability altogether) for the rest.

by eviks

5/11/2026 at 3:36:45 AM

You’ll need to define the security framework and building blocks that all plugins may need, which takes time to design, implement, verify and maintain.

Much easier to just skip that part.

So yes, it’s too much work (in the sense that you need to have a security-focused leadership that understands that this is a lot of work but the right thing to do).

by stingraycharles

5/11/2026 at 5:40:32 AM

Web stack plus lack of resources to architect the proper interfaces is my guess. These are software written in high level js frameworks, thus using poor dataflow patterns by default, mostly just following what is actually possible instead of employing intentional design, which would require going down some levels of abstraction and maintaining a custom fork of said frameworks. So they probably just architect plug-ins like you would instantiate a library passing a subset of the context the app uses. Basically the simplest workable thing possible. Although the disclosed hack does not mention any particular “vulnerability”. Plug-ins in obsidian are always in god mode, and the alleged hackers just tricked people in using them. Funny how an RCE waiting to happen behind a few popups is ultimately blamed on users. Shame on the developers.

by pilgrim0

5/11/2026 at 7:12:25 AM

Why does a plugin system immediately imply sandboxing?

by pdntspa

5/11/2026 at 3:08:57 PM

Because a box is an intuitive way to limit the blast radius of arbitrary code? But the wasn't a requirement, I'd be fine with sandbox-free secure plugin systems

by eviks

5/11/2026 at 3:14:33 PM

There are tons and tons of successful plugin systems out there that do not have such ridiculous requirements. I have thousands of VSTs installed and have never been RAT'ed. What happened to practicing internet hygiene?

At some point we need to acknowledge the problem is cultural, and address accordingly. I realize that the business objective for many is to make computing as brainless as possible but we need to be pushing back on that.

Instead we have forums full of really smart people demanding a nanny state. Yuck -- what a sad and pathetic state of affairs.

by pdntspa

5/12/2026 at 6:29:11 AM

> What happened to practicing internet hygiene?

Nothing happened, it never worked, and the more people got exposed to the internet, the more obvious it was, your personal RAT history notwithstanding. Post your own hygiene list in some security-related public forum and get some comments on how easy it is to circumvent it and/or how impossible it would be to comply with

> tons of successful plugin systems

The requirement here is secure, not generically successful. Tons of bad insecure systems get popular

> problem is cultural, and address accordingly

That's exactly what all those sandbox and permissions do - address the cultural problem of the impossibility of following a set of very stringent rules without a fault at an individual level when there are more than a few individuals

by eviks

5/11/2026 at 7:01:02 AM

even chrome browser plugins have security issues similar to this case. there are billions of dollars and many smart developers working on it. It's similar to building an app store inside your app. For the Apple app store, they reduce malicious apps by being very strict who/what people can publish and it's behind a paywall.

by cechmaster

5/10/2026 at 11:14:19 PM

Even being social engineering, the design of the plugin system allowing this means the platform is completely unusable as a sharing tool. It's good to know but to me this is not "I need to remember to have these settings correct to use a shared Obsidian vault", this for is instead "never accept a shared Obsidian vault, demand a plaintext export".

by zhivota

5/11/2026 at 3:59:42 AM

I hope I'm speaking as a minority but when I first started using Obsidian the Youtube videos I watched encourage the usage of community plugins, even with these warnings I would enable the community plugins. You may very well have good actors that eventually turn bad for these plugins and users won't know.

Maybe I just also have a higher personal risk appetite, but even as a dev and knowing these risks I would have enabled the community plugin option. Again, hope I'm just the minority here and not most user behaviour.

by brusselsprout

5/11/2026 at 9:46:23 PM

One issue seems to be also that there are means dead plugins, not updated for years but still available. Does that mean they are especially stable or just no longer maintained? I don't know but ili applied the same rule I would for FDroid or the play store - not to install anything that isn't actively maintained.

Also I can't tell how to prevent plugin updates. As long as you rely on a known safe version I guess there is never any real risk.

by goobatrooba

5/11/2026 at 3:50:34 AM

Reading the content the problem does not start with a plugin in Obisidian store but rather with a malicious vault they lure you to open.

by dbacar

5/11/2026 at 1:33:30 AM

My worse fear has materialized. This is why I've never used an external Obsidian plugin and only my own plugins. It was only a matter of time before some malicious code ended up in one.

by badcryptobitch

5/11/2026 at 4:05:30 AM

Brother, we are vindicated! There are indeed many cool bits and blobs out there, but I am already trusting one entity to secure my private notes, no way I am taking a pinky-promise from extension XYZ to behave.

(I actually use LogSeq, but same idea applies).

by 3eb7988a1663

5/11/2026 at 1:14:57 AM

Obsidian does not have auto update for community plugins. The steps for updating them right now is checking for updates and then updating all or individually.

A bad update to one of the popular plugins could compromise lot of systems.

by vetchzero

5/11/2026 at 6:50:32 AM

I run Obsidian with restricted capabilities: no network access, and no filesystem access outside its own directory. I only enable network access when updating plugins/themes.

Same way I run any other application that could potentially execute untrusted code.

by elric

5/11/2026 at 7:29:55 AM

Could you share how you're sandboxing it?

by yjftsjthsd-h

5/11/2026 at 9:32:01 AM

Why the hell doesn't the article say WHICH plugins were affected so users can know if they were likely affected?

by amipwndidunno

5/11/2026 at 12:16:48 PM

The specific plugins don't matter for this attack. The attack relies on the user accepting a shared vault and trusting the shared plugins. A shared vault can contain plugins that don't come from the official directory.

by kepano

5/11/2026 at 10:27:21 AM

It does.

> It enables malicious versions of legitimate Obsidian plugins ('Shell Commands' and 'Hider') that are present in the shared vault.

by deafpolygon

5/11/2026 at 11:44:54 AM

Thanks! I also scanned the detailed article looking for which plugins were affected and wasn't able to find it. Came to the comments looking for a quicker answer.

by lossyalgo

5/11/2026 at 6:44:10 PM

Because no plugin is affected. This isn't a supply chain attack. The headline is deliberately obtuse. Here's the breakdown:

1. Plugins are stored inside your vault.

2. If you open a vault from an untrusted source, it could contain custom/malicious plugins that will run things on your computer.

3. Then end.

by tredre3

5/11/2026 at 12:10:52 PM

This is becoming a bit of an epidemic. Not every attack or exploit (and especially not a social engineering one) needs a name out of Metal Gear or a website.

by stickynotememo

5/11/2026 at 5:25:32 PM

When Heartbleed happened and they gave it a cool name and a fancy dedicated website, it was neat and probably necessary for that bug but I immediately had a sinking feeling that from then on every 2-bit security consultant trying to get free publicity would follow that playbook for nothingburger vulnerabilities, which is exactly what happened.

by Analemma_

5/11/2026 at 2:53:12 AM

One thing that bugged me when I made a community plugin was that you have to attach non-git-controlled files to the release (e.g. main.js).

To check if any community plugin is safe, it seems like you'd have to not only review the code on github, but also analyze the github release files to be sure nothing malicious packed in there.

Maybe I'm misunderstanding something about the process, I'd appreciate if anyone could confirm or explain otherwise.

by dsp_person

5/11/2026 at 2:58:11 AM

The recommended way to do this is via artifact attestation:

https://docs.github.com/en/actions/how-tos/secure-your-work/...

by kepano

5/11/2026 at 3:18:12 AM

Thanks that's interesting. The docs are aimed at developers, but I'm curious about the use case for the end user.

So would a user have to do some kind of `gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY ...`? (assuming the plugin dev provides an sbom?)

by dsp_person

5/11/2026 at 3:50:42 AM

In the near term artifact attestation will be visible to users in the directory, and part of the overall scorecard of a plugin.

by kepano

5/11/2026 at 12:46:40 AM

Am I the only one who thinks Obsidian is perfect without plugins? Half the reason I switched to it from Anytype was that it was rather spartan in its offerings. If they announced tomorrow they would ban plugins, I would not care.

by hresvelgr

5/11/2026 at 9:33:48 AM

I wouldn't say "perfect", but to me it's clear that adding plugins could only make it worse, even without considering the security issues.

What I want from Obsidian is something that "just works". Adding third-party plugin would break this immediately since the plugins can either be straight up buggy, create conflicts with each other or simply become incompatible with new Obsidian releases.

And what I've seen from the community, with people having dozens of plugins installed, is giving me nightmares.

I can see why some would feel the appeal of plugins, and adding two or three can be fine, as long as you do your due diligence. Otherwise it's straight shooting you in the foot.

by wiether

5/11/2026 at 12:55:52 AM

I'm also switching back to Obsidian after a few-year stint on Anytype, and the Notebook Navigator plugin is the only one I have installed. This is (I assume) a UI-only plugin, which shouldn't need access to external network or processes, so a quite good candidate for sandboxed plugins.

by CGamesPlay

5/11/2026 at 3:17:11 AM

That’s basically how I’m using it since I got wary about how the community plugins were being vetted. Core plugins and settings cover a lot. There’s one or two things I miss, but not enough to fork and review them myself so it’s clearly not essential.

by coffeefirst

5/11/2026 at 7:58:50 AM

This. I only use official Obsidian plugins. Security + not depending on OSS maintainer are the main reasons.

by wiseowise

5/11/2026 at 4:49:05 PM

I found plugins more useful early on in Obsidian's lifespan. Now, its current native feature list is good enough for me.

by stevenkast

5/12/2026 at 1:38:04 AM

i tried very hard to find a plugin that was deploying a Trojan but couldn’t find any. It looks to be a POC report. The title is so misleading and terrifying

by philipdavis

5/11/2026 at 10:50:07 AM

A long time ago I figured that "nasty Obsidian plugins" were not a matter of if, but when.

So I did the (imho) only sensible thing, and run Obsidian in a sandbox (bwrap). By doing so, I also made sure it runs in a separate networking namespace. For now, I disallow any internet access.

The amount of rage I see here is a bit strange, the whole attraction of Obsidian is that you can turn it into a Swiss army knife (that can hurt you too ofc).

@kepano: you would greatly help me if you could force plugin authors to list the urls they want to access inside the manifest, then let the user per url decide if they want to enable it. I still see some stupid plugin authors download their assets from a CDN or a vague website, from deeply buried in their code. Making url depencies explicit helps firewall automation at a first step. Maybe you could revoke direct network access from plugins, but i am not too knowledgeable about Electron.

by exceptione

5/11/2026 at 12:25:45 PM

> So I did the (imho) only sensible thing, and run Obsidian in a sandbox (bwrap). By doing so, I also made sure it runs in a separate networking namespace. For now, I disallow any internet access.

> The amount of rage I see here is a bit strange

Serious question: do you think it is actually obvious and technically accessable to everyday people to have the thought "I should run this in a sandbox" and do it?

Like no this is not some super elite haxxr tool, it's a text editor pretty explicitly advertised as being non-technical-person-friendly.

by jedimastert

5/13/2026 at 10:48:20 AM 

  > Serious question: do you think it is actually obvious and technically accessable to everyday people to have the thought "I should run this in a sandbox" and do it?
I meant the HN crowd ofc. I assume the non-technical obsidian user would not be present here.

You have a point though that non-technical people are screwed, but they have always been. Their whole lives and biometrics rest on Google and Apple servers anayways, while a good part of their identity is being traded by non-scrupulous commercial predators under the veil of advertising purposes. They are so beyond f*cked that I did not include their concerns wrt Obsidian plugins.

by exceptione

5/11/2026 at 3:41:49 PM

I haven't seen the term haxx0r since... ages! How are they called nowadays?

by soco

5/11/2026 at 4:51:55 PM

Whoever taught LLMs to design webpages to look like that? I find myself telling agents to specifically not design like that.

It's so a distracting and unfocused

by hereme888

5/11/2026 at 2:33:39 PM

Seems like a nice place to plug my Mac app that syncs your obsidian tasks to Reminders.app: https://turquoisehexagon.co.uk/remindersync (for me the only thing obsidian is missing on a fresh install).

It’s sandboxed; can’t make network connections and can only read the directory you select. I’m surprised Apple haven’t added OS level functionality to block network connections / folder access for non sandboxed apps, similar to running an un-notarised binary.

by rahilb

5/11/2026 at 9:20:27 AM

You say Trojan.

I say shiny horse statue.

by sshine

5/11/2026 at 11:29:16 AM

Love Obsidian but I've previously commented about the security model for plugins here: https://news.ycombinator.com/item?id=45308131. TLDR: your entire vault (and possibly filesystem) is exposed to every single plugin you install.

I really do think Obsidian needs 2 things to have any reasonable security:

1. It needs to be a lot more batteries-included. A user shouldn't need a plugin for basic functionality.

2. It needs a granular permission system, where each plugin should have to declare and prompt you to allow or reject specific permissions, just like on iOS and Android. The system should enforce that a plugin cannot bypass this.

by gejose

5/11/2026 at 12:13:37 PM

> A user shouldn't need a plugin for basic functionality.

What functionality are you thinking of? I just looked and I've never enabled community plugins.

My Obsidian complaint is the opposite. I think its bloated well beyond the initial premise of a markdown editor over a directory of files. I think it was just about perfect right before the introduction of the Canvas feature.

by criddell

5/11/2026 at 1:46:16 PM

> More batteries-included

Can I ask, what basic functionality is Obsidian missing in 2026? (I work on the app)

by kepano

5/11/2026 at 2:10:01 PM

Hey kepano, really love the work you're doing!

Here are some feature I wish existed in Obsidian without any plugins:

* Dataview [1] (this is now solved with Bases, so I really appreciate that)

* Folder Note [2] (I, and I assume many others come from Notion, and I wish this were a thing)

* Recent files [3]

* A built in calendar [4]

* Link embeds [5] (or something to store previews for pasted links)

* Waypoint [6], or something to create a table of contents

These are just things I wish existed, but whether or not these are 'basic' can be debated. Ultimately I do wish there were a robust permission system for plugins so that personal functionality gaps can be plugged, but without compromising safety.

References: [1] https://blacksmithgu.github.io/obsidian-dataview/ [2] https://github.com/xpgo/obsidian-folder-note-plugin [3] https://github.com/tgrosinger/recent-files-obsidian [4] https://github.com/liamcain/obsidian-calendar-plugin [5] https://github.com/Seraphli/obsidian-link-embed [6] https://github.com/IdreesInc/Waypoint

by gejose

5/12/2026 at 4:09:31 AM

I had a recent files plugin but bases let me remove it.

I have a "system" base that I put on the ribbon. it defaults to "recently created", but I have a bunch of different views for hunting down anomalies too.

by twentyfiveoh1

5/12/2026 at 11:32:46 AM

Better task management, todo lists, reminders, powerful macros/templates.

by wiseowise

5/11/2026 at 3:27:20 PM

There are many essential features missing that should be included in the core app for security, compatibility, longevity and for the benefit of new users who prefer to stay clear of plugins.

1) Basic functional search

Search should handle different order of words, misspellings (fuzziness), offer indexing and searching in a larger scope than just titles and aliases (e.g. headers or content), as well as allowing users to customize search priorities. Basically - just include Omnisearch as a core plugin.

2) Basic image preview

Displaying an image on full screen, with panning and zoom, when clicked upon.

3) Full "folder notes" support

Out-of-the-box support for a vault structure where each note has its own dedicated folder where all its attachments are placed. While the basic functionality is present, an external plugin is required to declutter the vault file hierarchy and actually make this approach feasible. Folder notes approach is in my opinion the only way to keep a large vault organized.

4) Basic formatting.

Text coloring. Text alignment and justification. Basic image positioning. Proper text flow wrapping around images. Table formatting (at least a setting minimum column width).

5) Markdown parsing within HTML tags

Basics Markdown features like [[linking]] don't work within a section of text enclosed by HTML tags. And using HTML/CSS is currently required to achieve basic formatting like centered or colored text.

6) Option to use the first h1 tag as the note title

I'm talking about actual support for this and integration with core functionality like search and linking. Useful (sometimes long) titles are an essential part of note-taking and knowledge databases. Meanwhile, filenames are simply semi-unique file system identifiers. Forcing users to use filenames as titles compromises the usefulness of titles and leads to issues with filename / filepath length. In HTML and Markdown, the h1 tag was always intended for the title.

7) Consistent formatting between reading view and editing view

Rendering of content, especially vertical spacing between elements differs between those views for no credible reason. The code syntax highlighter is also deficient in editing mode, despite it being the mode in which Obsidian users spend 99% of their time while writing, editing and reviewing notes.

It's not an exhaustive list, but these are the biggest pain points right now. And let me repeat - you shouldn't continue to rely on community plugins for these features. Even though community plugins are great, they are a security concern, their development could cease at any point, and new users don't know about them.

by anmr

5/11/2026 at 4:00:38 PM

This is why I NEVER install any obsidian plugins - EVER. Obsidian itself is good. Obsidian plugins = security nightmare.

by sneilan1

5/11/2026 at 4:03:26 PM

How to say you haven't read the article without saying you haven't read the article...

by HackerThemAll

5/11/2026 at 8:12:34 AM

Hopefully this improves workflow for installing plugins offline. It's not bad already but it's not as good as the connected experience.

by poemxo

5/11/2026 at 7:44:21 PM

A very relevant article: "On the security of plugins" (in notes app)

https://standardnotes.com/blog/on-the-security-of-plugins

by Itoldmyselfso

5/11/2026 at 9:44:29 PM

While not wrong I'm not sure the publisher is uninterested as they are a competitor.

E.g. this is how they criticise obsidian - suggesting that a default location backup is somehow worse than default cloud sync is just very strange to me.

Obsidian stores your data as a folder of plaintext files on your local computer. You are thus responsible for securing this folder and making it available on your other devices. This is particularly difficult on mobile platforms that lack access to a robust file system.

by goobatrooba

5/11/2026 at 6:44:23 AM

I use the plugin for Git, and the one for tasks. Hope those are safe!

by geoffbp

5/11/2026 at 6:52:06 AM

You are safe. The way this hack works is that someone online would contact you, share a obsidian valut with you, you open the vault, you download & install a plugin the hacker tells you to install to open the vault. It's all described in the article if you would like to read it.

by cechmaster

5/11/2026 at 7:49:24 AM

The obsidian vault is to already have the chosen plugin pre-selected and is part of the social engineering effort, that's not the main problem.

The issue is that this could happen to anyone who just searches the malicious plugin's name and installs it. Worse if it's a popular one that gets compromised.

by Daedren

5/11/2026 at 7:45:06 AM

Obsidian sounds like a nightmare security wise in general.

by coldtea

5/11/2026 at 9:04:10 AM

How is it any worse than say, VSCode in this regard?

by cybrox

5/11/2026 at 7:53:13 AM

Yet another reason to not install anything third-party made. Favor batteries, built-in functionality and reject “Unix philosophy” or whatever bullshit people use to ship incomplete software under guise of.

by wiseowise

5/11/2026 at 11:21:40 AM

I'd ideally want Obsidian to be a distro package, including any good plugins. No plugins from the "store".

by silon42

5/11/2026 at 2:50:53 PM

[flagged]

by theuniverseson

5/10/2026 at 11:15:35 PM

What is this vibe-coded site? Why does it reiterate the same point 20 time? What are the actual plugins that I need to be on alert for? Chop chop, get to it.

by ValveFan6666

5/11/2026 at 5:33:44 AM

I think it’s fundamentally wrong to base your plugin architecture on running user code in the same space as the application. The proper way is to evaluate plugin scripts in an interpreter running in the application, where you expose functionality through functions and state exposed to the script runtime. This means you can A) sandbox everything and B) check for things like permissions or even request permissions at runtime. It’s harder if you use a language like JavaScript for the application since you essentially have a runtime inside a runtime, but it’s possible to run something like Lua inside JS. Since I use an actually good language like Rust I have many good options for scripting, like Rhai. Lua is also a good option. Go also has multiple options including a couple good Lua libraries. These libraries tend to have performance comparable to Python which is more than enough for most plugins in most apps.

by nothinkjustai

5/10/2026 at 11:46:00 PM

This is just the first detected and reported instance, in all likelyhood such attacks have been happening for some time. When will the fanatic userbsse finally admit that using Obsidian in any enterprise setting is just plain malpractice?

It takes 5 minutes in their Discord channel to see the founders are D&D nerds, not competent engineers. It was never meant for serious work.

by kid64

5/10/2026 at 11:49:06 PM

> It takes 5 minutes in their Discord channel to see the founders are D&D nerds, not competent engineers.

I know absolutely nothing about Obsidian but I'd expect quite a few competent engineers to also be D&D nerds no!?

Are you saying the two are mutually exclusive?

by TacticalCoder

5/11/2026 at 12:21:35 AM

No I'm not. But I'd encourage you to visit and see for yourself why these outcomes are completely predictable.

by kid64

5/11/2026 at 8:00:29 AM

For uninitiated, why?

by wiseowise

5/10/2026 at 11:57:12 PM

> the founders are D&D nerds, not competent engineers

The two are not mutually exclusive. What would you trust more than a nerd? A jock? A spod? An MBA?

Any evidence of other examples if bad engineering you can point to, or are your thoughts on the pluggin system and throwing shade at random groups of people all you've got?

[FYI: I know little of obsidian other than planning to look into it at some point as people I know use and like it. I stepped into this set of comments in case there was something useful I should be passing on to those people]

by dspillett

5/11/2026 at 12:18:02 AM

The attack relies on social engineering to get the victim to disable protections and could just as easily have happened with a plugin for any code editor.

Anyway, What I like about obsidian is that it can handle a truly huge amount of notes without slowing down, and the notes are just markdown files on disk, so there's no lock in. I have used evernote, ms one note and zoho notebook before, and had issues with all of them.

by chillfox

5/11/2026 at 12:55:08 AM

That isn't a response to my post, it is a bit of information already present in the thread that isn't relevant to my question followed by a positive review. This suggests that a shill brigade has been attracted to these comments. I suggest you don't do that, it isn't a good look.

by dspillett

5/11/2026 at 1:19:26 AM

well there was this previous issue in the crypto community where it turned out someone was not a competent engineer and should have stuck to their online exchange for magic: the gathering

by flashman

5/12/2026 at 1:34:21 PM

A more mature response would be to mention the case you are talking about, perhaps linking to further details, rather than repeating the attack on a hobby that many share.

by dspillett

5/11/2026 at 12:23:13 AM

What software do you use that would be immune to a scenario where you disable all protections to take some action?

by amazingamazing

5/11/2026 at 2:12:44 AM

One whose protections can’t be disabled.

by gilrain

5/11/2026 at 8:02:01 AM

So locked up platform where vendor owns your ass and fucks it the way they want to, à la Chrome.

by wiseowise

5/11/2026 at 2:32:50 AM

So i assume you dont use an android device, github, etc? Everything is vulnerable to social engineering.

by amazingamazing