Obsidian plugin was abused to deploy a remote access trojan

A creepy scam campaign turned Obsidian, the beloved note-taking app of productivity nerds everywhere, into the latest accidental villain. According to researchers, attackers reportedly cosplayed as venture capital types on LinkedIn, moved targets into Telegram chats, then invited finance and crypto workers into a shared Obsidian workspace. The sting only worked if victims were talked into turning on community plugin syncing, but once that happened, the shared vault could trigger malware that gave attackers deep access to the computer. In plain English: the bad guys didn’t magically break in — they convinced people to open the door.

And wow, the community is not agreeing on who deserves the blame. One camp is practically waving a giant "this is social engineering, not an Obsidian flaw" banner, arguing the app already had warning steps and users were manipulated into ignoring them. The other side is coming in swinging, saying that if a shared workspace can become a booby trap, then the whole sharing model is toast. The hottest take? One commenter flat-out called using Obsidian in a workplace "plain malpractice," while another dragged the founders as "D&D nerds, not competent engineers" — which is either devastating slander or the most Hacker News insult ever posted.

The funniest mini-backlash came from minimalists who basically said, "ban plugins, I wouldn’t care," like this whole drama was just proof that extra features are how chaos enters the world. Another commenter raised a more panic-inducing scenario: what if a popular plugin update goes bad? Suddenly the vibe shifted from one scam to everyone side-eyeing every plugin they ever installed.