Btw to those saying I shouldn’t be making a video on this, being negative but instead sponsor the project clearly have no idea what they’re talking about. First, I wouldn’t sponsor a project I don’t use and I don’t use Moq, I use NSubstitute. Second, I’ve made a video on Moq and just the exposure it’s gotten from that video (170k views) is worth way more than I could ever sponsor for. Third and most important, I’ve given away the ad revenue I’ve made from showcasing open source projects back to its creators through sponsorships (that I could easily just keep in my pocket), including a call to action to get more people sponsoring projects they like, and unsurprisingly it’s one of my least watched videos because nobody really cares. Its just virtue signalling. Put your money where your mouth is and show me your own receipts. kzbin.info/www/bejne/bKu9fZZ5drB3mNE

There's an old saying, "it takes 20 years to build a reputation and 5 minutes to destroy it"

Collecting private data without consent is one thing, and then obfuscating his code as well so we can't even verify it easily This raises a huge red flag

Thanks for covering this Nick. Just posted it to our dev team. We are using Moq, luckily we are still on v4.18.4 version, won't upgrade. And will look for an alternative! Cheers!

NSubstitute's author will be very pleased by the traffic going to him.

Hi Nick, I'm interested in your upcoming video detailing how to move from Moq to NSubstitute. Hope it's comes out soon 😊

The main problem is that they invade your privacy by scanning your computer for personal information and sending it to a third-party - i.e. without either telling you or asking for your consent. And this is embedded in an open-source library - of which there is a special build. Surely, this is a breach of trust.

What the video does not mention is that the Moq analyzer tries to bully you into installing the sponsorlink app by generating warnings and intentionally slowing down your build. That is the only reason we noticed this earlier today. We now downgraded to the old Moq version and will likely switch to NSubstitute as soon as we get the chance. Thank you so much for making everyone aware of this.

This is Malware. There is no other expression for it. Its like when popular tools were starting to integrate toolbars in their installers.

Lesson learned for me. Know more than one library for the same job. Once I replace Moq with NSubstitite I am never going back.

Ksu has removed it in Moq 4.20.2 that released 17 minutes ago - but if you look at the PR it says it's removed because it breaks functionality on Mac and Linux, and it therefor a "blocker"... They don't really acknowledge that it was a bad idea in the first place... so if it's only removed because it doesn't work on Mac an Linux yet, they might add it again later Besides reading the github folder, people are also saying it's creating random stuff in `%TEMP%\1M5Ot/`

We just started to clarify which test and mock library we want to use in our project. I think we can strike one from the mock library list.

Relevant for developers in Europe: Even including this in your repo is probably violating the GPDR.

And that's that death of Moq. Let's remove that crapware. Well done Nick for creating awareness.

RIP moq, my company just banned it and any project the same developer has control over. We are scrambling to exchange it asap in every project.

Now I want to see a NSubstitute video :)

Every now and then a gentle reminder comes that programming as an industry is still Wild West :)

If you haven't made it already, maybe a good subject to do a video on is how to pick good open source projects when picking dependencies.

@nickchapsas I hear you say in the video that you think NSubstitute is a better library. Why is that? A few people tell me they don't like moq, and usually it's because of the .Object part. I personally like the fact that I write extension methods for Mock when I'm doing MOM pattern. Is it also just the .Object thing for you? Or are there more reasons? And if it is just that, I'm rolling my own mocking library, I'd like your opinion on something. How would you like a library very close to moq, but with an implicit conversion next to a .Object or .Instance as I called it?

This is huge. I mean the pure fact that a library starts any process thats not related to the library itself is a huge red flag. But the fact that this process reads private files that may even contain sensitive information is absolutely mindbending. I started working with DI 1-2 years ago and wanted to go more into testing this year, but it seems like moq is now out of the question. Is there any way to protect against supply chain attacks in .NET?

Ooof, I'm pretty certain that this was intended to be an ease of use thing and to reduce friction. Not requiring you to enter your email, but the missing communication and the way it was executed, really not good x.x Maybe he should've at least polled first whether to include sponsorlink in moq

We need more of these types of videos, not necessarily scandals, but raw takes from Nick. This was hilarious AND informative 😂

Is there Auto Fixture support for NSubstitute?

Sadly people on Twitter don't understand that this is a nightmare for EU devs because of GDPR and bureaucracy. We don't actually care if your employer has to pay a license/donate.

Hopefully this will not trigger other creators of packages to do someting alike. Let's hope that this will scare off the intention due to all the commotion around it. If you want to scrape data, do it by consent. Thanks Nick for your explanation! :)

So nuget packages I include in my project are allowed to spawn processes during compilation?

Thanks. Created a ticket for my team to remove this asap. Will also spread awareness within the organziation. All trust is gone.

In today's world full of dependencies of dependencies of dependencies when you build a project, who knows what sits in this chain. You use a library that uses some other libraries and it goes on. You don't know anymore what your code is actually doing. This time community spotted the thing and there was a global alert that spread around in hours. But who knows how much malware runs behind the scenes in the libraries you use for your projects. I don't know. I hope none, but I can never be sure. Do you know?

Should be fun day at work tomorrow with keeping work emails private.

Thanks for explaining it Nick. I been wonder whats going on and now I know. Thanks again.

An almost unimaginable clusterf.. by the author of Moq; it's really sad to see a great library crash and burn like this.

The maintainer seems totally unhinged; this is an excerpt of one of his posts: "And I’m a firm believer that supporting your fellow developers is something best done personally. Having your company pay for software surely doesn’t feel quite as rewarding as paying from your own pocket, and it surely feels different for me too. We really don’t need to expense our employers for a couple bucks a month, right??"

How should I know that the SHA256 + Base64encoded String I see is not just a crypto-encoded string that is Base64encoded ... sure it might look that way but there are ways to easily exfiltrate information that way

Thanks for sharing. I was not aware of this until I saw this video.

I love when your "random number" pops up in something you have no control over 🤣 Thanks for sharing this video though, I guess I'll need to switch to NSubstitute for a while... This is nuts.

Is there a way to know packages like this before installing? I mean as a whitelisting instead of blacklisting

I honestly thought this video was just click bait, but no. Thanks for bringing this issue into a wider audience Nick.

Thanks, I'll ensure we are on

Was anyone able to verify the claims, that on Jenkins it didn’t run and on macOS it didn’t work?

Tomorrow I’m starting a clean operation. Bye bye Moq, we were friends…

This is a security and legal nightmare. no idea why would someone sabotage their project for minuscule stuff like that. No way I am touching that package or anything from that dev ever.

Thank you for the heads up and looking forward to the migration video

Given this is OSS, it seems like the appropriate action is to fork it, not a abandon it completely. (having said that, I haven't yet tried NSubstitute)

Three things that can happen: 1. The project is dead (even if the code is removed), and everyone stays at pre 4.20 or move to another library. 2. The project gets forked, and someone else is in control. 3. The original project is taken over and managed by a OpenSource foundation. It really seems like option 2 or 3 would be a lot less work than rewriting all the tests out there. And that would be the most OpenSource way of fixing this. Screaming "everyone should change to another framework" does not sound like the OpenSource way to me.

When we were deciding what mocking framework to use, I voted for Moq. I lost that vote in favor of FakeItEasy. I'm glad that happened now.

We saw this issue the other day and luckily we're only using Moq v4.18 in our current projects. So we won't be upgrading. I personally don't like mock-object tools for testing anyway. When I see Mock Objects used, it makes me think that the interface wasn't appropriately designed, and we're trying to cover too much in a single unit test that should probably be changed to an integration test instead. However, we weren't planning to remove Moq from our projects just based on that small preference...until now. Now we're looking to remove Moq from our system completely.

What are your thoughts on NSubstitute vs FakeItEasy?

because of this, i havent been able to do any work today. too busy refreshing the various threads on github reddit etc, and making more and more popcorn.

I was in complete disbelief reading the Reddit thread this morning. I don't know what he expected would happen. I guess just that people wouldn't notice? Even though the whole point of his ... let's just call it malware ... is to be noticed? Absolutely mind-boggling.

dude i have no words... I just started using moq in a new project i guess i will have to replace it guess what nsubstitute... (not important) and for what? a slight chance of the email being scraped (more important lol). Who would have guessed the replacement of the library would be the outcome huh... looking forward to the new video btw

Configutation to the rescue :)

Does AutoMoq support NSubstitute?

Thanks for giving this issue the attention it deserves!

2:47 , so true, the page max out one of my cpu core upon being opened, to make it more sus, once the dev tool opend, it drops to zero.

As dodgy as this is, I think we take for granted the everyday use of open source libraries - it would be good if this outrage could lead to a conversation on the responsibility of both open source providers and open source consumers in ensuring a healthy and supportive ecosystem. What does this library really owe us, if we're using it for free?

You mentioned earlier in the video that we may need to downgrade, but I don't recall you saying which version this starts so i can avoid it. I'm currently using 4.18.x but your example was 4.20.1 with 4.20.2 live as well. I'm hoping I'm on a version where this isn't a problem while I work on migrating away from Moq. Thank you for the heads up.

Thanks for sharing. That was absolutely insane.

That's scary. I wonder how many other nuget packages/libraries could be doing some funky stuff in background...

Thanks for this video 100% appreciated the info

OMFGWTF!!!! thanks Nick for the timely video. The lib I loved is now dead to me.

Thanks for the video and info. 👍

oh shit gonna go over a lot of unit tests and rewrite them with NSubstitute.

Moq -> NSubstitute yes please!!

Wow. 😮 Video about MOQ to NSubstitute is in demand…

I don't get it. Why do you want to link the user that is using your package? They trying to introduce some kind of freemium stuff here?

Your videos with additional humor are fucking amazing, that bitcoin joke was unexpected 😂

All that crap just to thank some people in some log output, that most people would ignore or not notice anyway... If I want my ego stroked that bad, I will happily provide my email manually... there's absolutely no legitimate reason why there should be some weird scraping going on in the background. I'm getting npm flashbacks all over again, where some authors would implement malicious code as a protest against russia, which broke lots of legitimate projects aswell... If it's scraping emails in the background today, who's to say it wont do something else in the future? Wouldn't shock me if it started mining crypto coins at some point... as a way to force everyone to sponsor the project or something xd

Thx for sharing this!

Which version is this ?

How are you forced to run an ad on your own company?

I'm so retarded that I didn't even know what MOQ was. Thanks for the introduction.

Thanks for the heads-up

Moq 420 blazin' through your private data

This is not good. Definitely looking forward to your video on migrating from Moq to NSubstitute.

5:43 your expression made me genuinly laugh :D

Already reverted, but for how long?

wow, thanks for information!

Cant wait for the video to migrate to something else. What is the next best option?

I never needed any mocking framework, so i never used moq - so i am unaffected by this. However, if i had used moq - then i would definitily replace it with an alternative as well. Scraping personal informations for no reasons in a library is out-of-question and also violates a lot of laws... in germany here we have the DSGVO, which is clearly violated by this!

Even intresting thing is that nuget and not even visual studio found this behavior that package is making! Serious security flaw tbh!

Handwritten Test Doubles / Fakes. Any mocking library just overcomplicates things.

Thanks for the heads up! Glad I don't use Moq

Thanks for exposing this to us Nick...luckily we don't use Moq at all.

They JUST released version 4.20.2 which removes the reference to the package. However, it's been removed ONLY because it broke restore on mac.

I'm deciding which framework to use for mocking a new project. I've used Moq before and I like it, but considering this controversy, I'm not going to use it. Anytime there are serious doubts about the integrity of a piece of software, I'll choose an alternative just to be safe.

Yeah SponsorLink would definitely be a violation of my employer's policies on working with the company's data if I installed it by accident while installing a separate nuget package. Clearly explicit permission is not being given here. If I install this on my work PC which has work data (and I am certainly installing it into a project I am doing for work, so it is not mine, it and all the code in it written by me and other employees belongs to my employer), my employer has not given their consent to having those email addresses uploaded. Even if you argue the person installing has given their consent, that means nothing if they are not authorized to do so. These guys are playing with fire, wouldn't be surprised if they get legal letters from a large corp and change their tune quickly.

This happens because of egos when experienced developers are not objective enough to become solution architects. They want to become rich off their (popular) framework (perhaps deservedly) but instead of running it past peers, they would rather just implement it. After all, aren't they geniuses? The rock-star developer attitude causes a LOT of issues.

alternatives to moq ?

Moq….thy name is Mud. I will be ensuring I don’t have version 4.20 installed, and if so, downgrading until I can remove it. Looking forward to seeing the migration to NSubstitute video!

He should be in jail. This was not an innocent mistake.

This is a good reason to re-evaluate how much mocking you need in your project Of course it's more serious than that, but that's also something to consider

This is a popular package. Why the hell did the dev make such stupid decision to send private data to 3th parties! What was he thinking! He just ruined his own package.

The fact that its done without the consent of the user, its a GDPR breach. Won't even touch Moq now.

Yeah, this sucks. pretty much need to have zero tolerance for libraries exfiltrating data like this.

It looks like the end of my usage of Moq. The author of this library is eitger insane or not smart enough to understand, that such a "feature" is one of the worst possible ones. Some third party code scans my git folder for a personal data. WTH?! Anyway, I don't trust Moq after this and will remove it from my every project

I think this is violating GDPR regulations. This guy risks a tremendous fine for this.

Thank you for this info!

removed Moq this morning

Sadly, the personal data has already been collected.

Wow! What an insane way to kill forever a tens-of-million-users decade-old library. And Fiddler is not the answer, I can't believe the maintainer is actually telling me to use it. What would he propose? That we run Fiddler as a background process from here on to the end of time simply because we would be using Moq and have no idea what the obfuscated code is actually doing?