Quote:Original article at: https://www.rei.com/blog/snowsports/snow...ng-started

Old news again, but... Mar 18, 2022 2:31 pm

When code with millions of downloads nukes user files, bad things can happen. 

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
A deliberate and dangerous act

Two weeks ago, the node-ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node-ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.

To conceal the malice, node-ipc author Brandon Nozaki Miller base-64-encoded the changes to make things harder for users who wanted to visually inspect them to check for problems.
This is what those developers saw:

Quote:Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. 
The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

"This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library," software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.
Researchers have spent the weekend gathering clues. Here's what we know so far.

What is xz Utils?
xz Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. xz Utils provides critical functions for compressing and decompressing data during all kinds of operations. xz Utils also supports the legacy .lzma format, making this component even more crucial.

What happened?
Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.
Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to xz Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, published a graphic on Mastodon that helps visualize the sprawling extent of the nearly successful endeavor to spread a backdoor with a reach that would have dwarfed the SolarWinds event from 2020.



What does the backdoor do?
Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it's not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.

Wait, how can a compression utility manipulate a process as security sensitive as SSH?
Any library can tamper with the inner workings of any executable it is linked against. Often, the developer of the executable will establish a link to a library that's needed for it to work properly. OpenSSH, the most popular sshd implementation, doesn’t link the liblzma library, but Debian and many other Linux distributions add a patch to link sshd to systemd, a program that loads a variety of services during the system bootup. Systemd, in turn, links to liblzma, and this allows xz Utils to exert control over sshd.

How did this backdoor come to be?
It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.
The following year, JiaT75 submitted a patch over the xz Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to xz Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in xz Utils affairs. For instance, Tan replaced Collins' contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to xz Utils.
In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of xz Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into the following releases, according to security firm Tenable:

Fedora Rawhide
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora Rawhide is the development distribution of Fedora Linux
Fedora 41
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.
https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Tumbleweed and openSUSE MicroOS
https://news.opensuse.org/2024/03/29/xz-backdoor/
Backdoored version of xz was included in Tumbleweed and MicroOS between March 7 and March 28
Kali Linux
https://www.kali.org/blog/about-the-xz-backdoor/
Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28

There’s more about Tan and the timeline here.

Can you say more about what this backdoor does?
In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.
Multiple people who have reverse-engineered the updates have much more to say about the backdoor.
Developer Sam James provided this overview:
This backdoor has several components. At a high level:

• The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.
  
• There are crafted test files in the tests/ folder within the git repository too. These files are in the following commits:
  • tests/files/bad-3-corrupt_lzma2.xz (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
    
  • tests/files/good-large_compressed.lzma (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
    
• A script called by build-to-host.m4 unpacks this malicious test data and uses it to modify the build process.
  
• IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.
  

Normally, upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.
This script (at least in versions 5.6.0 and 5.6.1) checks for various conditions like the architecture of the machine. Here is a snippet of the malicious script that gets unpacked by build-to-host.m4 and an explanation of what it does:
if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

• If amd64/x86_64 is the target of the build
  
• And if the target uses the name linux-gnu (mostly checks for the use of glibc)
  

It also checks for the toolchain being used:
if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
exit 0
fi
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
LDv=$LD" -v"
if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
exit 0
And if you are trying to build a Debian or Red Hat package:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.
In an online interview, developer and reverse-engineer HD Moore confirmed the Sam James suspicion that the backdoor targeted either Debian or Red Hat distributions.

“The attack was sneaky in that it only did the final steps of the backdoor if you were building the library on amd64 (intel x86 64-bit) and were building a Debian or a RPM package (instead of using it for a local installation),” he wrote.
Paraphrasing observations from researchers who collectively spent the weekend analyzing the malicious updates, he continued:
When verifying an SSH public key, if the public key matches a certain fingerprint function, the key contents are decrypted using a pre-shared key before the public key is actually verified. The decrypted contents are then passed directly to system.
If the fingerprint doesn't match or the decrypted contents don't match a certain format, it falls back to regular key verification and no-one's the wiser.
The backdoor is super sneaky. It uses a little-known feature of the glibc to hook a function. It only triggers when the backdoored xz library gets loaded by a /usr/bin/sshd process on one of the affected distributions. There may be many other backdoors, but the one everyone is talking about uses the function indirection stuff to add the hook. The payload was encoded into fake xz test files and runs as a shellcode effectively, changing the SSH RSA key verification code so that a magic public key (sent during normal authentication) let the attacker gain access
Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
2) use sockpuppet accounts to convince the various Linux distributions to pull the latest version and package it
3) once those distributions shipped it, they could take over any downstream user/company system/etc
Researchers from networking firm Akamai also explain well how the backdoor works:
The backdoor is quite complex. For starters, you won’t find it in the xz GitHub repository (which is currently disabled, but that’s besides the point). In what seems like an attempt to avoid detection, instead of pushing parts of the backdoor to the public git repository, the malicious maintainer only included it in source code tarball releases. This caused parts of the backdoor to remain relatively hidden, while still being used during the build process of dependent projects.
The backdoor is composed of many parts introduced over multiple commits:

• Using IFUNCs in the build process, which will be used to hijack the symbol resolve functions by the malware
  
• Including an obfuscated shared object hidden in test files
  
• Running a script set during the build process of the library that extracts the shared object (not included in the repository, only in releases, but added to .gitignore)
  
• Disabling landlocking, which is a security feature to restrict process privileges
  

The execution chain also consists of multiple stages:

• The malicious script build-to-host.m4 is run during the library’s build process and decodes the “test” file bad-3-corrupt_lzma2.xz into a bash script
  
• The bash script then performs a more complicated decode process on another “test” file, good-large_compressed.lzma, decoding it into another script
  
• That script then extracts a shared object liblzma_la-crc64-fast.o, which is added to the compilation process of liblzma
  

This process is admittedly hard to follow. We recommend Thomas Roccia’s infographic for a great visual reference and in-depth analysis.
The shared object itself is compiled into liblzma, and replaces the regular function name resolution process. During (any) process loading, function names are resolved into actual pointers to the process memory, pointing at the binary code. The malicious library interferes with the function resolving process, so it could replace the function pointer for the OpenSSH function RSA_public_decrypt (Figure 1).
It then points that function to a malicious one of its own, which according to research published by Filippo Valsorda, extracts a command from the authenticating client’s certificate (after verifying that it is the threat actor) and passes it on to the system() function for execution, thereby achieving RCE prior to authentication.



What more do we know about Jia Tan?

At the moment, extremely little, especially for someone entrusted to steward a piece of software as ubiquitous and as sensitive as xz Utils. This developer persona has touched dozens of other pieces of open source software in the past few years. At the moment, it’s unknown if there was ever a real-world person behind this username or if Jia Tan is a completely fabricated individual.
Additional technical analysis is available from the above Bluesky thread from Valsorda, researcher Kevin Beaumont, and Freund’s Friday disclosure.

Is there a CVE tracking designation?
Yes, it's CVE-2024-3094.

How do I know if the backdoor is present on my device?
There are several ways. One is this page from security firm Binarly. The tool detects implementation of IFUNC and is based on behavioral analysis. It can automatically detect invariants in the event a similar backdoor is implanted elsewhere.
There's also a project called xzbot. It provides the following:

• honeypot: fake vulnerable server to detect exploit attempts
  
• ed448 patch: patch liblzma.so to use our own ED448 public key
  
• backdoor format: format of the backdoor payload
  
• backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

https://arstechnica.com/security/2024/04...the-world/

https://arstechnica.com/information-tech...d-belarus/

https://www.zdnet.com/article/minix-inte...ng-system/

https://www.reddit.com/r/technology/comm...ael_plant/

https://www.reuters.com/technology/intel...023-12-26/

https://www.theguardian.com/world/2021/j...ess-latifa

Quote:WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware.
Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data.
Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware.
In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

ClickFix campaigns have become increasingly common this year, with threat actors compromising sites to display banners showing fake errors for Google Chrome, Google Meet conferences, Facebook, and even captcha pages.
Malicious WordPress plugins
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns.
"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko.
"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names.
The list of malicious plugins seen in this campaign between June and September 2024 are:

LiteSpeed Cache Classic Custom CSS Injector MonsterInsights Classic Custom Footer Generator Wordfence Security Classic Custom Login Styler Search Rank Enhancer Dynamic Sidebar Manager SEO Booster Pro Easy Themes Manager Google SEO Enhancer Form Builder Pro Rank Booster Pro Quick Cache Cleaner Admin Bar Customizer Responsive Menu Builder Advanced User Manager SEO Optimizer Pro Advanced Widget Manage
Simple Post Enhancer Content Blocker Social Media Integrator

Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign.
When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site.

Code:

<script type="text/javascript" src="https://[infected.site]t/wp-content/plugins/custom-css-injector/cci-script.js" id="custom-css-injector-js"> </script>

When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners.

From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
As you can see from the image below, the threat actors log in via a single POST HTTP request rather than first visiting the site's login page. This indicates that it is being done in an automated manner after the credentials have been already obtained.
Once the threat actor logs in, they upload and install the malicious plugin.

While it is unclear how the threat actors are obtaining the credentials, the researcher notes it could be through previous brute force attacks, phishing, and information-stealing malware.
If you are a WordPress operation and are receiving reports of fake alerts being displayed to visitors, you should immediately examine the list of installed plugins, and remove any that you did not install yourself.
If you find unknown plugins, you should also immediately reset the passwords for any admin users to a unique password only used at your site.

Quote:Quietly merged into this week's Linux 6.12-rc4 kernel was a patch that removes a number of kernel maintainers from being noted in the official MAINTAINERS file that recognizes all of the driver and subsystem maintainers.

Sent out last week by Linux's second-in-command Greg Kroah-Hartman was the patch dropping a dozen maintainers from the kernel. Greg simply commented in there:
"Remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided."

This includes the maintainer of the Acer Aspire 1 EC driver, Cirrus Logic CLPS711X ARM architecture, Baikal-T1 PVT hardware monitor driver, Libata PATA drivers, libata SATA AHCI Synopsys DWC controller drivers, ASCOT2E media drivers, MIPS Baikal-T1 platform driver, NTB IDT driver, PPTP driver, Renesas R-Car SATA driver, Renesas Super-H Ethernet Driver, and the UFS file-system. Just the maintainer entries are being removed and not the actual drivers themselves.

The commonality of all these maintainers being dropped? They appear to all be Russian or associated with Russia. Most of them with .ru email addresses.

In response on the Linux kernel mailing list it was asked by others what are the "compliance requirements" and "sufficient documentation" needed... So far there isn't any public comment by Greg Kroah-Hartman. Presumably this is due to sanctions on Russia involving the war in Ukraine.

This is just dropping Russian maintainers from the kernel but isn't clear if patches from them will be accepted moving forward. Similarly, the driver code remains within the kernel -- including for Russian hardware such as around the Baikal CPUs from Russia's Baikal Electronics. So right now it appears to be little more than just not officially recognizing any formal kernel maintainers that are Russian.

Cutting videos in the terminal with chafa and ffmpeg

September 2024

I've been working on a video editor for the terminal: demo.webm. 

This might be my favorite project yet. I'm excited to share a progress update.
SUCCESSES

It looks pretty! Terminal graphics libraries always look pretty. AA-lib, for example, makes ASCII art in the terminal. And catimg makes pixel art. But I'm using a library called chafa. Chafa looks better, especially at small sizes, because it uses a variety of symbols. I recommend browsing chafa's blog posts and gallery to see all the pretty examples.

It's performant! At first, I was getting only a few frames per second with full CPU usage. But after tweaking some parameters with chafa and ffmpeg, I can play videos at 2x speed with 20-30 frames per second. That's enough for smooth video playback.

I'm happy! I wanted to make a terminal video editor two years ago, but that was too ambitious for me at the time. Now it's a reality. I love making my own tools. That's the thrill of programming -- you wish something existed, and then you make it happen.

SOME FFMPEG RECIPES
The whole program centers around two ffmpeg commands. The first command decodes a video into frames of pixels:

Quote:fmpeg \
  -ss 0.000 \
  -i video.mp4 \
  -vf scale=iw/2:ih/2 \
  -f rawvideo \
  -pix_fmt rgb24 \
  pipe:

1. Input any video: mp4, mkv, mov, etc, or even a URL to a video
   
2. Downsize the video with -vf scale=iw/2:ih/2 to make the program faster
   
3. Start anywhere; for example, if jumping to the middle of a 60 minute video, start decoding from -ss 1800.000
   
4. Output pixels with -f rawvideo and -pix_fmt rgb24
   
5. Stream pixels through an output pipe: into the main program
   

Quote:ffmpeg \
  -ss 5.000 \
  -i screencast.mp4 \
  -to 10.000 \
  -c copy \
  trimmed.mp4

Quote:        ____________________
                /                                     \       
      stdout -->  always reading pixels --> main program
    /          \____________________/               
    / 
ffmpeg             
    \            ____________________
    \          /      lots of messages           \   
      stderr -->    kept piling up   
                \____________________/

Quote:frame=  495 fps=329 q=-0.0 size= 1503562kB time=00:00:08.25 bitrate=1492992.0kbits/s speed=5.49x
frame=  624 fps=311 q=-0.0 size= 1895400kB time=00:00:10.40 bitrate=1492992.0kbits/s speed=5.19x
frame=  752 fps=300 q=-0.0 size= 2284200kB time=00:00:12.53 bitrate=1492992.0kbits/s speed=  5x
frame=  874 fps=291 q=-0.0 size= 2654775kB time=00:00:14.56 bitrate=1492992.0kbits/s speed=4.84x
frame= 1005 fps=286 q=-0.0 size= 3052688kB time=00:00:16.75 bitrate=1492992.0kbits/s speed=4.76x

Quote:#!/bin/bash

ffmpeg \
  -f lavfi -i color=black \
  -loop 1 \
  -f null /dev/null \
  2>&1 \
  | tee >(sleep 270) \
  | wc -c

# Returns ~60500 for me.
# If you account for extra stderr messages in production,
# like video metadata and encoding information,
# that's right around 65536.

IsraHELL GENOCIDERS! :P

Quote:Once thought a haven from Israeli strikes, a Christian town in Lebanon is now a scene of carnage
Pervading everything was the overwhelming stench of rotting flesh mixed with concrete dust at the scene where 23 people including two children were killed, according to local officials.
A dead baby inside a destroyed pickup truck; a child’s severed arm buried in nearby rubble; toddler clothing and books shredded; flies swarming as officials collected body parts, some too small for body bags ending up in clear ziplock bags.

Pervading everything, the overwhelming stench of rotting flesh mixed with concrete dust at the scene where 23 people including two children were killed, according to local officials.
This was the aftermath of an airstrike Monday on the Lebanese Christian village of Aitou that Israel said had targeted a position held by Hezbollah, the Lebanese militant group.
Until then, this region of hilly olive groves and winding, sea-view roads had been a relative haven, one that felt far away from the war dominating Beirut and the country’s south.
Just last week, the area “was calm; everything was quiet,” Illy Edwan told NBC News as he surveyed the wreckage of his villa, which was reduced to rubble in the blast, its insulation and inner structure ripped to pieces, an adjacent vehicle twisted open like a burnt pretzel.
“My house used to be three-story, but look at it today,” he added.
Surrounding homes had glass and twisted metal strewn across their patios. Some nearby olive trees, laden with fruit ahead of the upcoming harvest, were also destroyed, their green leaves covered in gray soot from the explosion.
Hezbollah doesn’t usually have a presence here. But Edwan, who was not at home at the time of the bombing, said an official from the group had been visiting houses donating money to displaced people, some of whom had fled from southern Lebanon to escape the Israeli invasion, and asking about their concerns.
The Israel Defense Forces said in a statement that it had struck “a target belonging to the Hezbollah terrorist organization in northern Lebanon,” and that the reports of civilian casualties were “under review” and “being examined.”

xD

Wow poor salmon, poor animals

Quote:More than 1m farmed salmon die at supplier to leading UK retailers

Mowi Scotland, which supplies Tesco, Asda and Sainsbury’s, blames a rise in sea temperatures for the deaths, while campaigners say expanding farms will make things worse

More than a million dead fish, the biggest mass die-off of farmed salmon in Scotland in a decade, have been recorded at a farm belonging to the UK’s largest supplier.

The deaths at two adjacent Mowi Scotland sites in Loch Seaforth on the Outer Hebrides – licensed as one farm by the Scottish government – rose to just over a million during the year-and-a-half production cycle that it usually takes to raise a salmon in seawater, and which in this case began in spring 2023. Mowi supplies salmon to retailers including Sainsbury’s, Tesco, Asda and Ocado. Many of its farms, including those in the Hebrides, are certified under the RSPCA Assured label, which guarantees higher animal welfare standards.

The data, analysed from government statistics by Scotland’s Coastal Communities Network (CCN), which exists to protect Scotland’s coastal and marine environments, and NGO Free Salmon, is “deeply concerning”, said John Aitchison, speaking on behalf of CCN’s 30 member groups. Mass deaths of farmed salmon are a growing problem, he said, and can in some cases be an indicator of poor welfare.

At the end of last year, when mortality in Scotland’s farms hit record levels, Chris Packham called for a halt to the expansion of the Scottish salmon farming industry. Despite this, salmon remains the UK’s second most popular fish (after tuna), with sales in the year to June worth £1.3bn.

“This is the first time since 2014 [when regular reporting began] that more than a million farmed salmon deaths have been reported at a single farm site in one production cycle,” said Aitchison. “We expect to see more salmon deaths in Scotland because farms are becoming even larger.”

Meanwhile, activist group Animal Rising filmed salmon at Seaforth during the same production cycle in which the million deaths occurred, with the video appearing to show sick fish with patches of raw, descaled flesh, scraped mouths and swollen or burst eyeballs.

Mowi Scotland confirmed the death total of 1.05 million fish, which it said was a combined figure for two sites, Seaforth and Noster.

Ben Hadfield, Mowi Scotland’s chief operating officer, rejected any suggestions mass mortality is a sign of poor welfare and said the deaths were due to an unprecedented rise in sea temperatures which resulted in jellyfish blooms, a problem blighting Scottish production. Jellyfish stings to salmons’ eyes, skin and gills risk health problems and death. “[Any] suggestion that this is caused by bad farming, fixation with profits [or] overstocking is … very false and misleading,” Hadfield said.

Salmon mortality at Mowi Scotland has fallen by two-thirds this year due to normalisation of temperatures, the company said.

Of the Animal Rising footage, Hadfield said it was selective. “What the video shows is fish with eye damage after, you would think, jellyfish stings or wounds that are healing after jellyfish blooms. It does not show the majority of the population.”

Much of the salmon sold in UK supermarkets comes with the RSPCA Assured label. Last month, the RSPCA suspended three Scottish salmon farming sites from the scheme after the release of covert video footage by an animal rights group that showed alleged breaches of welfare regulations.

‘Unacceptable greenwashing’: Scottish farmed salmon should not be labelled organic, say charities
Read more
An RSPCA Assured spokesperson said it had removed Fiunary salmon farm, owned by Scottish Sea Farms, from the scheme, while Mowi’s Loch Alsh and Bakkafrost’s Ardcastle were sanctioned and are receiving extra, unannounced inspections. After this, Scottish Sea Farms and Bakkafrost told the news website West Coast Today they had taken immediate remedial action at the affected sites, while Mowi said it was carrying out its own internal investigation and that the Loch Alsh site was not currently supplying any of its customers.

In the case of the one million salmon deaths at Mowi’s Loch Seaforth sites, neither the video nor the record deaths have threatened Mowi’s higher welfare label, an RSPCA Assured spokesperson told the Guardian, because jellyfish-linked disease outbreaks and “other waterborne insults” were beyond the supplier’s control.