Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.
We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.
This danger is why I quit using the Purple Teams plugin for Pidgin: it works well enough (considering Teams isn’t exactly open to third-party clients, it works amazingly well in fact) it’s GPL-3.0, the source is provided and I compiled it.
So I believe it’s clean, but that’s not good enough for me to hit our corporate Teams channels with it and I don’t have the time to audit the code. Not to mention, while my company trusts my good judgment, I’m pretty sure running an unauthorized client is against IT policies.
So I dropped it, sadly. It’s a bummer because Pidgin uses a fraction of the resources needed by that pig of an Electron app - the official client - made by Microsoft.
The newest Teams app (and I think newest Outlook amongst others) is using system/Edge provided WebViews rather than Electron, which I guess takes care of the “each app gets its own Chrome instance” part of the Electron bloat. It’s so far running better than old Teams for me. On my old work laptop, the fans spun up the second the old Teams client launched lol