Skip to content

fix(security): correct typo in trusted extensions registry URL#113

Merged
lightningpixel merged 4 commits into
lightningpixel:devfrom
wahdanz1:fix/registry-url-typo
Apr 27, 2026
Merged

fix(security): correct typo in trusted extensions registry URL#113
lightningpixel merged 4 commits into
lightningpixel:devfrom
wahdanz1:fix/registry-url-typo

Conversation

@wahdanz1

Copy link
Copy Markdown
Contributor

Summary

The trusted-extensions registry URL in electron/main/ipc-handlers.ts points at an unregistered GitHub username due to a typo:

// Before
const REGISTRY_URL = 'https://raw.githubusercontent.com/liightnig125/modly-official-extension/main/registry.json'

// After
const REGISTRY_URL = 'https://raw.githubusercontent.com/lightningpixel/modly-official-extension/main/registry.json'

The intended account lightningpixel/modly-official-extension exists and serves the correct registry.json. The misspelled liightnig125 does not appear to be controlled by anyone today.

Why this matters (security impact)

Anyone can register the liightnig125 GitHub username and start serving a registry.json of their choice. That JSON populates trustedRepos in fetchTrustedRepos(), which feeds the trusted flag returned by parseExtensionManifest. The trusted flag is rendered as a badge in ExtensionCard.tsx.

So while it's not direct RCE, it's a phishing/social-engineering primitive: a squatter could mark arbitrary attacker-controlled extension repos as "trusted" in the UI right at the moment a user is deciding whether to paste a GitHub URL into the install box. The install step itself runs setup.py and npm install from the chosen repo, so misplaced trust there is high-cost.

Every existing v0.3.3 install is currently fetching from this typo'd URL, so the window is open until users update.

Test plan

  • App still builds (only the URL string changed)
  • Verified https://raw.githubusercontent.com/lightningpixel/modly-official-extension/main/registry.json returns the expected trusted_repos list:
    {
        "trusted_repos": [
            "https://github.com/lightningpixel/modly-hunyuan3d-mini-extension",
            "https://github.com/lightningpixel/modly-triposg-extension",
            "https://github.com/lightningpixel/modly-trellis2-extension"
        ]
    }
  • Maintainer to confirm the corrected URL is the intended one and consider cutting a patch release so existing installs stop fetching from the typo'd URL

Suggested follow-ups (out of scope for this PR)

  • Consider claiming/parking the liightnig125 username to prevent future squatting
  • Consider pinning registry.json to a commit SHA or signing it, so a future repo compromise can't silently flip the trusted set

@lightningpixel lightningpixel changed the base branch from main to dev April 27, 2026 13:10
@lightningpixel lightningpixel merged commit ccb4b3c into lightningpixel:dev Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants