An exit node on the Tor network has been discovered to be slipping malware on top of downloads, according to The Register. The server, based in Russia, has been flagged as bad by The Tor Project, but this "would not prevent copycat attackers from the more than 100 exit nodes in operation."

Net Security reports that the exit node was "adding malicious code to the binaries in question - code that made their computers open a port to send HTTP requests to and receive commands from a remote server." The error was found by security researcher Josh Pitts, who created a tool to test for this and presented it at DerbyCon, but the discovery of the rogue node proves that this kind of attack is actively being used.

At the moment, it doesn't seem that far spread, with Pitts noting that "Out of over 1110 exit notes on the Tor network, this is the only node that I found patching binaries." He was keen to point out that this doesn't necessarily mean the rest of the network is in the clear however, warning that: "this does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries."

PC World states that the main lesson to be taken from security conscious Tor users is to ensure that anything downloaded is protected via TLS or SSL encryption, and that even a binary that is digitally signed may not be protection enough.

Pitts gave special notice to users in countries 'hostile to internet freedom', warning that they should "have a way of checking hashes and signatures of of band prior to executing the binary."