ProtonVPN Popup Pwd Windows & error msgs

[MXRobo]

++Title EDIT Original title: "Suspicious Password Window Notification(s)" and that part was solved by fehlix's post #15.
But in addition to fehlix's suggestion, I have more confirmation that it is indeed ProtonVPN's popup window and error messages, which if I rename the title, it isn't exactly solved. End Edit.

I received - at least what seemed to me - to be a suspicious password window.

++Latest EDIT - notification image links expired, but I confirmed one more notification, and received others pertaining to ProtonVPN.
See images at bottom of this post - post #1. End Latest Edit

I've attached a link to an image: https://ibb.co/KNLvBxb

It obviously read Authentication Required, yet oddly the password was already entered into the password box.
There was no GUI way (that I could find) to determine what was requesting the password.
When I viewed the password, it appeared to be a randomly generated password about 25 characters in length.

I hope that this is some common window that I'm simply not aware of, and I do NOT know what caused it to appear, but I mention what I was viewing during, and maybe of particular importance, for some time previously to this.

I was using the Brave Browser at the time, I do not log into my browsers – I haven't for some time, year(s).
IIRC, this is the page that I was viewing the first time the window appeared: https://www.mojeek.com/preferences
and https://www.mojeek.com/about/why-mojeek immediately prior to this, I was viewing other mojeek pages.

Before that I had opened many SearXNG instances.
https://searx.space/
https://searx.space/# [Example, click "Engines" up top, then "Web"]
https://uptime.searxng.org/
https://docs.searxng.org/user/

Maybe irrelevant, and again, I don't know what caused this, but I suspect that individuals with this capability likely have the abilities for nefarious actions too.

From: https://docs.searxng.org/own-instance.html

What are the consequences of using public instances?
If someone uses a public instance, they have to trust the administrator of that instance. This means that the user of the public instance does not know whether their requests are logged, aggregated and sent or sold to a third party.

Also, public instances without proper protection are more vulnerable to abusing the search service, In this case the external service in exchange returns CAPTCHAs or bans the IP of the instance. Thus, search requests return less results.

On the surface, quality assurance from: https://docs.searxng.org/ additional links in here seem OK https://dev.searxng.org/

++EDIT FYI Recently ~2 wks, I've been using a VPN, but haven't seen that window before.

Anyway, any ideas what it might be?
Should I be concerned?
Should I run Clamav or something?

FYI – Since then I've been running Chromium and Brave in firejail, but I had to disable firejail to upload an image.

Cheers!

[Adrian]

I would not put any password in a random authentication window. Usually you need to know where the window comes from, what did you do what prompted the window and the window itself should tell you what program it is for.

[MXRobo]

That's why I posted, it was very unusual, I never encountered anything like it and it didn't seem that I did anything that would invoke it, it seemed to just appear and there was no GUI way of finding what it was for.

One thing that I did not mention – realized shortly after, is that it reappeared about 4 – 5 times, within a few minutes.
From my perspective, I was browsing the web, then suddenly that window appeared. My first thoughts were, that's oddly suspicious, it certainly doesn't look like a chromium-based keyring request, and I haven't knowingly changed anything, didn't start autologin or anything.

IIRC, I logged-out, still got it, then rebooted and opened Chromium in firejail, later opening Brave in firejail.

I wouldn't touch it, except to escape – and the password was already completed.
I didn't see a browser extension symbol near it, as in image, so I'm almost certain that a password manager extension did not fill/enter the password – and I checked a few times.

I haven't encountered it today.

Thanks for the reply.

[Stevo]

It didn't ask for a any specific password, so I'd fill in for the bad actors that sent it, "whydontyouyeetyourselfintothesun" or something similar.

[MXRobo]

I didn't want to acknowledge that it got through to display itself to me – if that's even how it may work.
And the password was already filled in, that looked even more suspicious, as though they wanted to change some password.

Good news, I learned what the word "yeet" means.
I recently installed the Mullvad Browser from the MXPI.

Also, I've been recently (~2months) using the frontend browser extension https://libredirect.github.io/
So, I thought I might have opened up more doors with all of these instances that I must trust, between SearXNG and LibRedirect.
For example, Invidious, Libreddit and LibreMD each, have about two-dozen instances.

[MXRobo]

As unfortunately expected, no one responded explaining what the window was and that it was safe, so it looks like I'll never solve this post, but for anyone interested and assuming that it was possibly malicious and possibly came from either SearXNG or LibRedirect, here's some somewhat relevant privacyguides banter regarding the risks in using SearXNG instances with a LibRedirect cameo.
https://discuss.privacyguides.net/t/remove-searxng/124

While the privacy potential of SearXNG seems almost astounding with available customization and frontends (see OP), the more channels or links in the chain that one must trust, plus maybe fingerprinting avoidance of hiding in numbers, makes me think that something as simple as Startpage, DDG, and about a dozen others may be better even if it doesn't have the potential of SearXNG (fork of SearX), SearX, LibreY https://librey.devol.it/instances.php (fork of LibreX) LibreX https://github.com/hnhx/librex/#readme, etc. Same with LibRedirect.

Maybe I should use https://wiby.me/
for a back-in-before-my-time-of-using-the-internet experience.

Cheerio!

[MXRobo]

Other windows appearing!
Can anyone identify these?

My original post was regarding this suspicious Authentication Required" window: https://ibb.co/7jdfL33

And my initial thoughts were the Brave Browser, a newly installed VPN, or some malware possibly from a combination of SearXNG instances or LibRedirect instances. Combined I'd avail myself to approximately 50 different instances and points of entry and trust – as opposed to maybe one if I used only Startpage or DuckDuckGo or something similar.

Speculations:
Brave Browser – notice partially duplicated bookmark folders in image: https://ibb.co/3sjzrD3
ProtonVPN app – newly installed (about time they appeared, maybe some a little before this, not sure)
SearXNG or LibRedirect Instances.

One would hope that someone who designs a notification, which is a form of communication, would not have such an insular mindset as to not identify/communicate from what program the notification originated.

Other Windows:
Originally linked suspicious "Authentication Required" window – unknown source.
"Something went wrong" – unknown source. https://ibb.co/Dg3DH1C

I only show these because they appeared more recently, and about the time that the recent "Something went wrong" window appeared, but IIRC, the SWW window also appeared before the originally suspicious "Authentication Required" window.

Could not connect to VPN: Only one VPN (ProtonVPN) app installed, new app, I installed using the entire gnome- desktop command. Note, xfce4-screenshooter>Capture active window did not work correctly.

===============================
VPN app window: https://ibb.co/JFRcJLd
Not suspicious, but Access denied after receiving above window.

I'd appreciate it if anyone could identify the "Authentication Required" or the "Something went wrong" windows.

Thanks for looking.

[Mauser]

That is the System Password dialog box asking you for the password for elevated privilege. For example: you will see that dialog box when you install software, update MX Linux, and so on. The issue is what is triggering it. A good place to look for what is triggering it is in the logs. Mark down the exact time and each time the System Password dialog box pops up. I personally don't know where those logs are on your computer but maybe someone here knows and can tell you where they are located.

[clampett]

I think the auth.log in /var/log/ would be where to look?
Edit: I think you can also see the log in the other options when you run QSI.

[Stevo]

I know KDE's Discover can apply updates to user installed SDM themes installed in the system settings, and they can pop up a password dialog box even after I close Discover if there's a lot of other installs going on ahead of that system-level SDM theme update...That's the only similar thing I have seen that's legit.