Note: This does not affect any Chrome release, nor the users of Google Chrome or any other derivative browsers.
We wanted to let you know that, between September 9th and November 18th, the Chromium source tree contained some test Office documents that included some unshielded malware. These samples were inadvertently committed to the repository without obfuscation in the process of testing the security feature to detect the presence of malware distributed through macros in Office documents. These test files were not included in any Chrome release.
Security researchers have a need to use sample malware files for the purposes of automated testing of detection. The best practice in these cases is to obfuscate such files so that they cannot be accidentally opened or executed. In this case, we didn’t do that, potentially exposing Windows developers to accidental infection if they were to open these files themselves (i.e. by browsing to the Chromium source checkout folder and double-clicking on the Office document).
The malware was a 5-year-old sample. Because of the need to manually open the files to cause infection, and the age of the malware, we think that it’s exceedingly unlikely that any contributors were infected by this malware. To date, we have not received any reports of any contributors being infected by opening these files.
What can you do to remain protected
If you are not a Chromium developer, you are unaffected and not at risk. There is no action required.
If you are a Chromium developer, we strongly recommend rebasing your source checkout to the latest version of the Chromium source code.
How do I know that I’m safe?
Chromium/Chrome does not, and has never included any of these files, so users of those products are at no risk.
If you did not open any .doc or .docx test files manually using Microsoft Office on Windows from the Chromium source code repository, then you are unaffected.
We have confirmed that the malware itself is inactive as of this writing.
Tests using these files do not trigger the malware, so incidental infection via running tests would not have occured.
The Chromium repo synced past Nov 18th, 2021 does not pose a risk to developers.
We apologize for the oversight on our end and are reviewing our processes to help ensure that potentially dangerous binary files committed to the repo are properly shielded from accidental opening.
The Chromium team