<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>TidGi Desktop 0.13.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tidgi-desktop-0.13.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:17:42 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tidgi-desktop-0.13.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import</title><link>https://feed.craftedsignal.io/briefs/2026-07-tidgi-rce/</link><pubDate>Tue, 14 Jul 2026 20:17:42 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tidgi-rce/</guid><description>A critical remote code execution (RCE) vulnerability exists in TidGi Desktop through version 0.13.0, allowing attackers to execute arbitrary code with full Node.js access by tricking victims into importing a specially crafted TiddlyWiki Git repository, leveraging the automatic execution of 'startup' modules during the wiki boot sequence.</description><content:encoded><![CDATA[<p>TidGi Desktop, up to and including version 0.13.0, is affected by a critical remote code execution vulnerability. This flaw can be exploited when a user imports a specially crafted TiddlyWiki repository. The vulnerability stems from TiddlyWiki's module system, which automatically discovers and executes JavaScript code embedded in <code>.tid</code> files placed in the wiki's <code>tiddlers/</code> directory. Specifically, <code>.tid</code> files are auto-loaded into the wiki store, modules with <code>module-type: startup</code> are automatically registered, and their <code>exports.startup()</code> function is executed during the wiki's boot sequence with full Node.js <code>require()</code> access. This allows an attacker to execute arbitrary commands on the victim's system, confirmed on macOS with TiddlyWiki 5.4.0 and Node.js v26. No authentication is required beyond a single user interaction to import the malicious repository, making it a high-impact vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious TiddlyWiki repository containing a <code>.tid</code> file with <code>module-type: startup</code> and JavaScript code in the <code>exports.startup</code> function (e.g., <code>require('child_process').execSync('calc');</code>).</li>
<li>The victim is enticed to import the malicious repository into TidGi Desktop, typically by clicking &quot;Add Workspace&quot; and selecting the attacker-controlled Git repository or local folder.</li>
<li>TidGi Desktop initiates the wiki boot sequence, which involves <code>$tw.boot.startup()</code>.</li>
<li>During <code>loadStartup()</code>, the <code>loadTiddlersNode()</code> function reads all <code>.tid</code> files from the filesystem, including the attacker's malicious file, and adds them to the wiki store via <code>wiki.addTiddlers()</code>.</li>
<li>Subsequently, <code>execStartup()</code> calls <code>defineTiddlerModules()</code>, which iterates through all tiddlers in the store. The attacker's tiddler, having <code>module-type: startup</code>, is registered as an executable module.</li>
<li>The boot sequence proceeds to <code>forEachModuleOfType(&quot;startup&quot;, ...)</code>, collecting all registered &quot;startup&quot; modules, including the attacker's.</li>
<li>Finally, <code>executeNextStartupTask()</code> calls the <code>exports.startup()</code> function of the collected modules without platform restrictions, leading to the execution of the attacker's JavaScript code with full Node.js privileges.</li>
<li>Arbitrary commands, such as launching <code>calc.exe</code> or creating files, are executed on the victim's operating system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to critical consequences, including full Node.js access for the attacker, enabling remote code execution on the victim's machine. Attackers can leverage this access to perform arbitrary file reads and writes, establish reverse shells using Node.js's <code>net</code> module, and establish persistence by writing to startup scripts or other system mechanisms. The vulnerability affects Windows, macOS, and Linux systems and requires only a single user interaction (importing the repository). Given that TidGi Desktop is a personal knowledge base and note-taking application, a compromise could lead to significant data exfiltration, system damage, or further lateral movement within an affected environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable comprehensive <code>process_creation</code> logging across all endpoints running TidGi Desktop to detect unusual child processes spawned by Node.js or TidGi-Desktop, leveraging the Sigma rule provided in this brief.</li>
<li>Monitor <code>file_event</code> logs for suspicious file creations, especially in temporary directories (<code>/tmp</code> on Linux/macOS, <code>%TEMP%</code> on Windows), originating from the TidGi-Desktop process or its child processes.</li>
<li>Educate users about the risks of importing untrusted repositories or files into applications like TidGi Desktop.</li>
<li>Implement application whitelisting solutions to restrict execution of unknown or untrusted executables, particularly those launched as child processes by applications like TidGi Desktop.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rce</category><category>vulnerability</category><category>initial-access</category><category>execution</category><category>windows</category><category>macos</category><category>linux</category></item></channel></rss>