New Machine Compromised? Should I Care? [migrated]
I have a ~brand-new (10 days since unpackaging) machine that had a funny pop-up (lower-right corner of below screenshot) appear just now. The only modifications I have made have been
- Install the Brave browser
- Install WSL, the Ubuntu app, and VS Code
- I've used one usb (gen 1 or 2) mouse and one keyboard
I haven't been to any sketchy sites (unless you include microsoft websites like outlook); I've only used Brave to search for help with programming questions and visited stack exchange sites and for email (outlook for work, gmail for personal).
The only other thing I've used this computer for (besides Brave) is to ssh to a remote cluster (through my virtual private server gateway machine) which requires 2FA + passwords.
Other potentially relevant information:
- I went to system settings and confirmed no updates are currently available
- Windows 11 Home
- Version 10.0.22631 Build 22631
- Manufacturer: Acer
- System Model: Swift SFG14-72T
- Device was bought directly from acer (or at least, through acer.com)
- When I first booted up, the time was about 36 hours ahead, said it was last synced in 2015 (so I had in sync via time.windows.com)
- [Probably irrelevant] I keep system time pacific time although I live on the east coast.
- Device goes to sleep after 10 minutes and needs a PIN after sleeping (6 digits, non-trivial but I don't know if windows uses an exponential cool-off or limits attempts...)
- McAfee came pre-installed(? weird(?) because my 2017 windows machine just had defender...)
- I've only used this device with my home wifi which I changed the password to within the past six months (I guess I should change every three weeks but been lazy) and uses a nontrivial > 16 character password. I don't know if it has an exponential cool-off or limits attempts but I get app notifications on my phone when a new device connects.
- After that white text popup appeared my cursor was de-selected from the Ubuntu app. The white text popup was unclickable and unscrollable. I restarted my device after it appeared. It hasn't shown up this login session.
So I guess the compromise could be due to Brave or my mouse (Corsair) or keyboard (Kinesis Freestyle 2, it's a split keyboard which I love and haven't had issues with). However, I'm curious if there's a way to check (via system files?) if there was some bug pre-installed. I restarted my device after I saw the popup (didn't continue to enter my password which I changed on a different device).
The other ask is if I should really care. None of my emails I've used on here are important, I manually log-out after use and require 2FA. I don't store PII on computers and I don't access my financial information from this device. I'm using a decently powerful (by academic standards) Petaflop machine and it'd suck if someone drained my allocation. However, it requires 2FA in addition to a password, requires a static IP address to be allowlisted (which is why I use the gateway VPS), and doesn't allow outgoing packets (e.g., no git, wget, etc.)
I'll admit I'm pretty bummed this thing might already be compromised; I have a 10 year old mac with no evident sign of ever having been compromised (but my browser history there is much more sus so I wouldn't be surprised if there was some silent malware).
I'm asking this here to hopefully better learn
- what was that pop-up??
- can I learn which specific action I took allowed such an infiltration? (e.g., inspection of machine code of keyboard driver?)
- if everything I use requires 2FA should I care if my device is possibly compromised?
P.S. apologies that my writing style is verbose...
