Add statement on GodLoader malware loader

_data/authors.yml

@@ -80,5 +80,7 @@
   image: /assets/images/authors/everyone.webp
 - name: "Godot Foundation"
   image: /assets/images/authors/foundation.webp
+- name: "Godot Security Team"
+  image: /assets/images/authors/security_team.webp
 - name: default
   image: /assets/images/authors/default_avatar.svg

_layouts/article.html

@@ -105,6 +105,7 @@
 	.article-author .avatar {
 		border-radius: 100%;
 		margin: 0;
+		background: transparent;
 	}
 
 	.article-author .by {

assets/css/main.scss

@@ -1385,6 +1385,7 @@ article.article-card .info .avatar {
   left: 0px;
   width: 25px;
   height: 25px;
+  background: transparent;
 }
 article.article-card .info span {
   font-size: 14px;

collections/_article/statement-on-godloader-malware-loader.md

@@ -0,0 +1,39 @@
+---
+title: "Statement on GodLoader malware loader"
+excerpt: "Godot security team clarifies the risk exposed by Check Point Research's report."
+categories: ["news"]
+author: Godot Security Team
+image: /storage/blog/covers/statement-on-godloader-malware-loader.webp
+date: 2024-11-28 11:00:00
+---
+
+Security researchers at [Check Point Research](https://research.checkpoint.com/) have [published a report](https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/) about GodLoader, a malware loader using Godot as its runtime to execute malicious code and infect unaware users with known malware. Based on the report, affected users thought they were downloading and executing cracks for paid software, but instead executed the malware loader.
+
+As the report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.
+
+**Users who merely have a Godot game or editor installed on their system are not specifically at risk.**
+We encourage people to only execute software from trusted sources -- whether it's written using Godot or any other programming system.
+
+For some more technical details:
+
+Godot does not register a file handler for `.pck` files. This means that a malicious actor always has to ship the Godot runtime (`.exe` file) together with a `.pck` file. The user will always have to unpack the runtime together with the `.pck` to the same location and then execute the runtime. There is no way for a malicious actor to create a "one click exploit", barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.
+
+This is similar to writing malicious software in Python or Ruby, the malicious actor will have to ship a `python.exe` or `ruby.exe` together with their malicious program.
+
+## Good security practices
+
+We would like to take this opportunity to remind users about some good security practices when it comes to downloading and executing software.
+
+- Only download and execute software (including game mods) from trusted sources:
+  * Official project website. Confirm it by checking the URL, and verify with a search engine that this seems to be the most frequently referenced website for this software.
+  * Trusted distribution platform: Steam, Epic Games Store, Windows Store, Google Play, Apple Store, etc.
+  * People you know, after confirming that they are who they claim to be if the communication is text-based (see below).
+- On Windows and macOS, verify that the executable is signed (and notarized, on macOS) by a trusted party.
+- Be wary of executing cracked software, which is a prime attack vector for malicious actors.
+- Be wary of executing software even from people you know, if you can't confirm that their account hasn't been compromised. A very common attack vector targeting specifically game developers is for Discord accounts to get hacked, and then malicious actors use them to send malicious downloads to their friends in private messages ("hey will you try my game?"). Make sure to confirm the identity of your contacts before executing such software.
+
+## Reporting security issues
+
+We thank Check Point Research for following the security guidelines of responsible disclosure, which let us confirm that this attack vector, while unfortunate, is not specific to Godot and does not expose a vulnerability in the engine or for its users.
+
+If you would like to report a security vulnerability or concern, please send an email to [[email protected]](mailto:[email protected]).

collections/_download/macos.md

@@ -23,10 +23,6 @@ content_instructions: |
   </ul>
 
   <p>
-    Godot is code-signed and notarized for macOS. This means it should run out of the box even if Gatekeeper is enabled on the system (which is the default).
-  </p>
-
-  <p>
-    For older Godot versions, see the last section of <a href="https://support.apple.com/en-us/HT202491">this page</a> for instructions on allowing Godot to run anyway. Alternatively, you can install <a href="https://store.steampowered.com/app/404790">Godot from Steam</a> and switch to an older branch in the Steam application settings to work around this.
+    Godot is code-signed and notarized for macOS by <em>Prehensile Tales B.V.</em>.
   </p>
 ---

collections/_download_3/macos.md

@@ -19,7 +19,8 @@ content_instructions: |
   </ul>
 
   <p>
-    Since Godot 3.3, Godot is code-signed and notarized for macOS. This means it should run out of the box even if Gatekeeper is enabled on the system (which is the default).
+    Since Godot 3.3, Godot is code-signed and notarized for macOS by <em>Prehensile Tales B.V.</em>.
+    <br>This means it should run out of the box even if Gatekeeper is enabled on the system (which is the default).
   </p>
 
   <p>