mjj

MJJ的博客

VPS/小鸡/杜甫/大盘鸡/吃灰/传家宝,分享各种资源和技术!
HomeArchivesRackNerd特价VPS

The well-known open-source project AList has been sold, and the new owner's dark history has been exposed: your cloud storage may have become a "zombie" machine.

19
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The well-known open-source project AList has reportedly been sold, leading to concerns within the community. The original developer, Xhofe, has disappeared from all communications, and the project's official domain has changed, along with significant modifications to its documentation that include commercial elements. Users noticed suspicious code submissions, including a data collection module that was later retracted due to community backlash. Xhofe's response to the community was vague and did not clarify the sale details, raising doubts about the project's future and the potential for commercialization. The acquiring company, Guizhou BuG Technology, has a controversial history of past acquisitions that involved injecting malicious scripts and promoting paid versions of software. In response to the situation, the community is taking action by freezing updates to the last stable version, forking the project, and isolating sensitive data to mitigate risks associated with the new ownership.

Famous open-source project AList sold

Sudden Sale: The Silent "Defection" of a Star Project#

Just in the past few days, explosive news has emerged from the open-source community: The cloud storage aggregation tool Alist, with 49.8K Stars, has been sold in its entirety.

The catalyst for the event was users discovering that its official domain quietly changed from alist.nn.ci to alistgo.com, with significant modifications to the Chinese documentation, including new commercial content (such as a VIP technical support QQ group and paid pricing strategies), while the original developer Xhofe suddenly disappeared from all communities and has remained silent for a long time.

What further alerted users was the appearance of a device data collection module in the newly submitted code (which was later urgently withdrawn due to community protests), and the desktop download link even pointed to Tencent Cloud COS storage (which was banned due to copyright infringement). These unusual actions are contrary to the transparency of open source, quickly igniting community skepticism.

Original Developer's Response: A "Limited Commitment" After Silence#

In response to the community outcry, original developer Xhofe made his first statement on June 11, but the content of the statement sparked even greater controversy:

"The project has been handed over to a company for operation, and I will help review the code in the open-source version repository to ensure that releases are automatically built by CI, the main branch has been protected, and subsequent submissions will require PR review."
Famous open-source project AList sold 2

This response was criticized for being evasive:

  1. Did not deny the sale, only vaguely acknowledged "handing over to company operation";

  2. Did not disclose transaction details, the identity of the acquirer, amount, and ownership of user data were not explained;

  3. Review authority is questionable: The so-called "help with review" is strongly questioned regarding its actual binding power, with some netizens even joking, "They didn't sell the account too, did they?"

Did not deny the sale, only vaguely acknowledged "handing over to company operation";

Did not disclose transaction details, the identity of the acquirer, amount, and ownership of user data were not explained;

Review authority is questionable: The so-called "help with review" is strongly questioned regarding its actual binding power, with some netizens even joking, "They didn't sell the account too, did they?"

The community is concerned that the founder's actions are actually paving the way for commercialization, while the promise of "branch protection" is unlikely to withstand capital-led control over the code.

Exposing the Acquirer: The "Poisoning Black History" of Guizhou BuG Technology#

The acquirer, Guizhou BuG Technology, has become the focus of public opinion, with its past operations being deemed a "trust killer" in the open-source community:

To avoid complaints about the article, the name of the new owner's company is omitted. It is easy for everyone to find out. 🐶

Famous open-source project AList sold 3

Controversial acquisition history and poisoning suspicions

  • Hutool Toolkit: After the acquisition, it frequently pushed abnormal updates, reported by developers for "unnecessary dependency injection," suspected to be for bundled promotion or backdoor paving;
  • LNMP One-Click Installation Package: A company in Jinhua (suspected to be related to BuG Technology) implanted malicious scripts after acquisition, secretly collecting server information, later intercepted and exposed by a security company;
  • Oneinstack: Also caught in the "silent update with hidden content" storm, users pointed to its "supply chain poisoning model."

Hutool Toolkit: After the acquisition, it frequently pushed abnormal updates, reported by developers for "unnecessary dependency injection," suspected to be for bundled promotion or backdoor paving;

LNMP One-Click Installation Package: A company in Jinhua (suspected to be related to BuG Technology) implanted malicious scripts after acquisition, secretly collecting server information, later intercepted and exposed by a security company;

Oneinstack: Also caught in the "silent update with hidden content" storm, users pointed to its "supply chain poisoning model."

The company employs a four-step strategy of "acquisition → modifying documentation → pushing paid services → closing source":

  • Modify the project homepage to strongly promote its own products (such as the new Vi**ub advertisement added to this Alist documentation);
  • Quickly launch a paid version (AList desktop version priced at 39.99 yuan);
  • Restrict open-source functionality, shifting core services to a privatized API (such as the api.nn.ci service that Alist relies on may be discontinued in the future).

Modify the project homepage to strongly promote its own products (such as the new Vi**ub advertisement added to this Alist documentation);

Quickly launch a paid version (AList desktop version priced at 39.99 yuan);

Restrict open-source functionality, shifting core services to a privatized API (such as the api.nn.ci service that Alist relies on may be discontinued in the future).

Some netizens pointed out: Such operations are essentially "open-source hijacking," realizing user data monetization through control of infrastructure.

Community Self-Rescue: Forking and Defense Guidelines#

In the face of systemic trust collapse, users are taking multiple actions:

  1. Pause updates: Many tech media outlets are calling for freezing the Alist version to before v3.40.0 to avoid supply chain poisoning risks;
  2. Forking rebirth: Core contributor xrgzs has initiated a Fork project (referred to in the community as the "Slave Uprising"), with alternatives like Zfile gaining popularity;
  3. Data isolation: It is recommended to unlink sensitive cloud storage accounts and enable independent API keys to reduce reliance on centralized services.

Pause updates: Many tech media outlets are calling for freezing the Alist version to before v3.40.0 to avoid supply chain poisoning risks;

Forking rebirth: Core contributor xrgzs has initiated a Fork project (referred to in the community as the "Slave Uprising"), with alternatives like Zfile gaining popularity;

Data isolation: It is recommended to unlink sensitive cloud storage accounts and enable independent API keys to reduce reliance on centralized services.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.