π¨ Security Advisory β DO NOT USE HolaClient V2 π¨
Hey @everyone,
We want to make the community aware of a critical security issue regarding HolaClient V2.
What's the Issue?
Their latest release contains extremely dangerous code which downloads and executes a binary directly from their server β without any kind of security verification (no checksum, no signature, no integrity check).
This means the developers of HolaClient have the ability to:
- Execute ANY code on your machine
- Steal sensitive data
- Deploy malware / viruses / crypto miners
- Gain full remote control of your system
Why is this Malicious?
Multiple members of the community have raised concerns and reported this behavior to the HolaClient developers.
The response from their team?
They refuse to remove this code or implement even basic security checks.
This clearly shows intent β there is no technical justification for downloading unverified binaries and executing them without user consent.
What Should You Do?
1. Immediately stop using HolaClient V2
Delete the client from your system!
2. Assume Your Machine is Compromised
- Rotate ALL sensitive credentials (API keys, SSH keys, DB passwords).
- Perform a full malware scan.
- Ideally: Reinstall your OS β once trust is broken at the binary level, full recovery is difficult.
Final Statement
Until the developers of HolaClient completely remove this backdoor-style functionality and commit to proper security practices β we strongly advise against using HolaClient in any capacity.
The current behavior cannot be seen as anything other than a potential malware delivery method.
Stay safe.
To be noted that hola client's team was alerted by me before they released the client and were told to add hash checks or other types of checks to protect user's safety but they didn't!
Copy of the malicious code in production can always be found here: https://github.com/HolaClient/v2-mini/blob/fe480d015165652a8e34644444d13c20dd6e4d0c/app/scripts/prequisites.js#L7
π¨ Security Advisory β DO NOT USE HolaClient V2 π¨
Hey @everyone,
We want to make the community aware of a critical security issue regarding HolaClient V2.
What's the Issue?
Their latest release contains extremely dangerous code which downloads and executes a binary directly from their server β without any kind of security verification (no checksum, no signature, no integrity check).
This means the developers of HolaClient have the ability to:
Why is this Malicious?
Multiple members of the community have raised concerns and reported this behavior to the HolaClient developers.
This clearly shows intent β there is no technical justification for downloading unverified binaries and executing them without user consent.
What Should You Do?
1. Immediately stop using HolaClient V2
Delete the client from your system!
2. Assume Your Machine is Compromised
Final Statement
Until the developers of HolaClient completely remove this backdoor-style functionality and commit to proper security practices β we strongly advise against using HolaClient in any capacity.
Stay safe.
To be noted that hola client's team was alerted by me before they released the client and were told to add hash checks or other types of checks to protect user's safety but they didn't!
Copy of the malicious code in production can always be found here: https://github.com/HolaClient/v2-mini/blob/fe480d015165652a8e34644444d13c20dd6e4d0c/app/scripts/prequisites.js#L7