In the tools iventoy, which are used for downloading and installation on various operating systems via the network, suspicious activity was revealed. It was discovered that when loading on the Windows network, the tools were replacing the binary driver httpdisk.sys and installing a self-signed certificate in the system’s root certificates to certify the driver with a digital signature. Out of 70 antivirus packages, 31 detected malicious activity in the file httpdisk.sys, as reported.
This suspicious activity was seen as a potential attempt to promote a backdoor and raised concerns about the trustworthiness of the open project Ventoy. This was further fueled by a previous incident involving a backdoor in the XZ project, where the community raised concerns about suspicious elements in Ventoy’s source code.
Developers from nixos have proposed replacing Ventoy in the NIXPKGS repository with the Fork fnr1r (alternatively, glim could also be considered). While both Ventoy and Iventoy projects are developed by the same author and have a similar purpose, Ventoy is fully open and focuses on loading operating systems from USB drives, whereas iVentoy is only partially open and is designed for network downloads using PXE technology.
The author of Ventoy and iVentoy projects has joined the discussion surrounding the issue,