Recently, there has been a lot of confusion about what the ‘Canvas virus’ is and i want to clear that confusion away by making this topic.
Most confusion comes from copy/pasted warnings in the comments section of projects (mostly featured ones)
Here is one example:

SCRATCHERS BEWARE, A group of hackers has created malware that we have dubbed ‘the canvas’ virus. The ‘Canvas’ virus lurks inside of projects of the infected, it tells you to ‘see inside’ and open the backdrop editor. DO NOT DO THIS, You will receive a message alerting you that you've been hacked, and will be signed out of your account. Your projects will be replaced with the infection and your profile description changes. Be safe, stay alert, and report. Copy and paste" SPREAD THE WORD!!

The comments give already sort of an answer about the situation, but it's still very vague and that copy/pasting is mostly used to spread misinformation.

The ‘virus’ actually explained
So, it's actually not a virus, but a vulnerability/exploit that has affected many Scratchers.
It works by going into the project editor (or clicking ‘see inside’) and then going to the costume/backdrop editor. When you open it, the costumes can actually do Arbitrary Code Excecution, which is a way that code can be excecuted. In the desktop/offline editors, it's even worse because then they can run malicious shell programs and steal data from you! And this is not a theoretical possibility, it has already affected multiple Scratchers.

What it can do
It can delete and/or hack all projects, change the description of the victim's profile, comments things on the victim's profile without their concent and run malware (only on desktop/offline editors).

How to prevent it
Don't open suspicious projects asked by others to open and avoid any random links.
If you did get hacked: Unshare all projects, change your password and delete any comments that you didn't type ASAP.

Here is a blog post by GarboMuffin that also explains it.

If you have something to add or a suggestion for this topic, then reply down below!

FINALLY!! thank you so much for writing this, everyone is freaking out and confusing each other, it's so nice to have all this info in one post i really hope more people see it before freaking out

atomicbryght wrote:

FINALLY!! thank you so much for writing this, everyone is freaking out and confusing each other, it's so nice to have all this info in one post i really hope more people see it before freaking out

No problem! Glad that this helped you!

this is great for me because someone said that somewhere and i was super scared cos they said so bad things!

thank you for wrtng ths. ths has made me feel better and has made me understand better

say [omg!]

Nice! You can also look here, this also explains it: Turbowrap (info)

CelestialPuff wrote:

Nice! You can also look here, this also explains it: Turbowrap (info)

I already added it, but good recommendation

I'm making a small video to post on YT to explain this to any scratchers who may not have know about forums

Hey does this affect only certain projects or does this effect all projects like your own anyway I say stop spam posting or else people will think it's a false rumour or weird false trend

Parkour_Champion wrote:

Hey does this affect only certain projects or does this effect all projects like your own anyway I say stop spam posting or else people will think it's a false rumour or weird false trend

It depends on what ACE is used, but it can delete (almost) all projects.

MiaELamanna wrote:

reported to be Stickyed

Did this aswell

-S0dium- wrote:

MiaELamanna wrote:

reported to be Stickyed

Did this aswell

yea

“delete any comments you didn't type ASAP”

Only the creator of a project can delete comments, not yourself.

Also, if this “virus” is still happening, I'm actually really scared.

NatLovesLogos wrote:

“delete any comments you didn't type ASAP”

Only the creator of a project can delete comments, not yourself.

Also, if this “virus” is still happening, I'm actually really scared.

I think they mean on your project but im not sure

NatLovesLogos wrote:

“delete any comments you didn't type ASAP”

Only the creator of a project can delete comments, not yourself.

Also, if this “virus” is still happening, I'm actually really scared.

what the person above me said, also yes it is still happening unfortunately but afaik st is looking into it and you don't need to be scared, you can still create and view projects safely just as long as you don't open the editor

Thank you, finally I understand that Canvas virus they keep spamming in the featured projects! Now I kind of feel bad though because I reported when I saw one because I thought it was fake just to scare people and cause spam, I thought it was just a fake spam trend or fake rumor, people should stop spamming it though because a lot of Scratchers might think it’s fake like I did

My only question is where was it made. That’s all I’m wondering, because knowing that *might* help with finding a way to remove it. That is all I will say.

comicmaker64_2-0 wrote:

My only question is where was it made. That’s all I’m wondering, because knowing that *might* help with finding a way to remove it. That is all I will say.

It's a security vulnerability with vector costumes, & how scratch processes it

IceCreamTub wrote:

comicmaker64_2-0 wrote:

My only question is where was it made. That’s all I’m wondering, because knowing that *might* help with finding a way to remove it. That is all I will say.

It's a security vulnerability with vector costumes, & how scratch processes it

question do you know WHAT was the FIRST project that was hecked because if we can get to that we may can fix it
queen

Ps I had a previous question that was misunderstood.
Anyway…
can the virus activate in a project that is unpublished and created by yourself?
?