May 13, 2026 20:00:00

Popular note-taking app 'Obsidian' revamps its plugin review process, introducing malware scanning and safety indicators.

Obsidian, a note-taking app that allows users to treat Markdown notes as local files, has revamped its plugin and theme distribution platform and launched a new community site called 'Obsidian Community' and a review system for developers.

Obsidian Community

https://community.obsidian.md/

The future of Obsidian plugins - Obsidian
https://obsidian.md/blog/future-of-plugins/

According to Obsidian, since the release of the Obsidian API in 2020, the community has created over 4,000 plugins and themes, and the total number of plugin downloads has exceeded 120 million.

Obsidian plugins allow you to add features such as note management, search, graphing, integration with external services, and automation. However, Obsidian is an application that handles local files, and some plugins may access the file system, network, clipboard, etc. The more convenient a plugin is, the more important it becomes to have mechanisms to verify the source of the plugin and the security of its code.

The new community site allows users to search for plugins and themes by category, and sort them by name, download count, popularity, release date, and update date. Each project's detail page displays screenshots, a description, and a safety scorecard, and paid plugins and official integrations are labeled. The safety scorecard is a display area where users and developers can see the results of automated reviews, and future plans include incorporating access data disclosure, privacy labels, and manual review results.

A 'Developer Dashboard' is now available for developers, allowing them to submit, manage, and check the review status of plugins and themes. Existing plugins, themes, and pending submissions that were previously added via GitHub have been automatically migrated to the new site, and developers can continue their existing projects by logging in with their Obsidian account and connecting their GitHub account. For new submissions, the review process starts immediately after submission, and results are usually displayed within minutes. Projects that pass the review will be available for in-app search and download within 24 hours.

At the heart of the overhaul is the 'automated review' feature. Previously, a small Obsidian team manually reviewed initial submissions, but the increasing number of Obsidian users and plugin submissions had led to a growing queue for reviews. Furthermore, Obsidian explains that the proliferation of coding agents has accelerated plugin creation, and there is no prospect of the submission pace slowing down. The new system automatically checks not only the initial submission but also each version for compliance with developer policies, code quality, known vulnerabilities, and potential malware.

However, manual reviews are not being abolished. Obsidian plans to extend its regular checks with automated reviews, while redirecting manual review efforts to items that require deeper scrutiny, such as popular plugins, featured plugins, and plugins that have been reported to have issues by the community. Existing plugins and themes are also being re-reviewed with the new system, and older projects that do not meet the latest standards are being given temporary exceptions, but in the future, plugins and themes that do not meet the new standards will be gradually removed from the official directory.

The security of Obsidian plugins has come under scrutiny due to reports of attacks exploiting Obsidian community plugins. In Obsidian, folders where notes and settings are stored together are called 'vaults.' These vaults may contain not only the text of notes but also configuration files and plugin-related files.

On April 16, 2026, CyberNetSec.io

reported on social engineering attacks targeting individuals in the finance and cryptocurrency sectors. According to the report, attackers built trust with victims on LinkedIn and Telegram before luring them to a shared vault containing a malicious plugin and urging them to enable the community plugin. Once the victim enabled the plugin, an attack chain using PowerShell on Windows and AppleScript on macOS was executed, ultimately deploying a remote access Trojan called 'PHANTOMPULSE.'

According to CyberNetSec.io, PHANTOMPULSE can capture keystrokes, take screenshots, steal files, and execute arbitrary commands. It is also analyzed that the attacker uses a mechanism to obtain the address of the C2 server used to send commands to the malware from transaction data on the Ethereum blockchain, making it difficult to shut down the attack infrastructure. Countermeasures include not enabling plugin synchronization in untrusted vaults, installing plugins only from official and trusted distributors, and monitoring Obsidian's behavior when launching PowerShell, osascript, etc.

Meanwhile, Obsidian CEO Steph Ango appeared on Hacker News, explaining that the attack article was a 'social engineering attack that requires users to proactively reject multiple security warnings from Obsidian, and the headline is misleading,' adding that they were unaware of any actual reports of damage. At the same time, she also posted that they were preparing a major update regarding plugin security.

In announcing the new system on Hacker News, Ango stated, 'We've been working on launching the new community site and review system for about a year.' Obsidian is a team of seven people with thousands of plugin developers and millions of users, so they had to consider ease of adoption, backward compatibility, impact on existing workflows, and improvements to security and discoverability all at once.

Among the features planned for introduction in the coming months are 'Access Disclosure' and the 'Verified Developer' label. Access Disclosure will allow developers to specify whether a plugin accesses features such as the network, file system, and clipboard, enabling users to review this before installation. The Verified Developer label will indicate developers who have passed additional verification procedures and are in good working order.

Management features for companies and teams using Obsidian will also be enhanced. Obsidian explains that it will add features to make it easier to manage which community plugins are allowed for teams, and a mechanism to distribute private plugins to team members. Teams that publish official Obsidian plugins will also be able to apply for an official label in the community directory.

Obsidian describes its community ecosystem as 'one of the most fun and powerful aspects' of Obsidian, and states that it wants to provide a foundation for the community to grow further by creating a platform for discovering, distributing, reviewing, and ensuring the safety of plugins and themes.