If you were following Kodi in 2017, it would be no surprise to you that it was a roller-coaster of a year for Kodi users and Kodi developers.

Kodi’s Game of Whack-a-Mole in 2017

It all started when TVAddons was hit with two huge lawsuits and a Canadian law firm seized all of their assets including their website and repository domains.  Since just about everyone was using their fusion repository for all their add-ons, everyone’s Kodi boxes started having issues, stopped working, or were unable to install anything new due to the Failed to Install Dependency error.

From that point on, Kodi add-on developers were quitting in droves, fearing they might be next on some lawyer’s list.  Add-ons and repositories were popping up and then shutting down at a rapid pace.  Exodus was replaced with Covenant, Colossus Repo’s GitHub account was deleted, alternative repos starting showing up, the Smash Repo was up and down a couple of times, and a plethora of Covenant forks sprang up over night (including Neptune Rising, Incursion, Placenta, Gurzil, Fantastic, and probably a bunch others).

Yes, in 2017, the Kodi game of “whack-a-mole” was in full swing.

The Kodi Repo Aftermath in 2018 and Beyond

For those of you that were “playing the game”, your repositories list in Kodi is probably a graveyard.

Many of the repositories that you have installed became abandoned, and in many cases, the domain expired.

When a domain expires, anyone can snatch it up which poses a huge security risk!

Major Security and Privacy Risks with Abandoned Kodi Repos

Think about it for a second.  If you have a repository installed on your Kodi box, and that developer quit and let their domain expire, anybody can buy that domain and put something on it that will essentially give them access and control of your Kodi box.

We’ve seen before, with the case of the Blamo repo automatically pushing their Wraith and Chappa’ai add-ons, how a repository owner can easily mark that they have a newer version of a popular add-on, and give that add-on whatever dependencies they want, and in doing so, can push all kinds of software to your Kodi box without you even knowing!

Here are a couple likely scenarios to consider…

Hackers Install Malware on Your Kodi Box

The first thing that would come to mind considering this ability for anyone to install software on your Kodi box is a hacker.  Yes, a malicious hacker could easily buy one of these expired domains and start deploying their malware to your box.

This malware could be used to:

  • Hijack your machine
  • Steal your personal information
  • Use your machine in DDoS attacks
  • Lock your machine for ransom
  • Infect other computers on your network

Honeypot Sting Reports You to Copyright Holders or Law Firms

This one may not be so obvious at first, but it’s alarmingly plausible when you think about it.

I’m always hearing in the news about huge TV/movie studios and media conglomerates banding together to go after piracy / copyright infringement cases.  They are very motivated, and they’re cracking down on piracy more and more.

Someone could simply buy one of those expired domains, inject a tracker on a popular plugin, and release it as a new version available for automatic update.

They would let it run for a while, collecting everyone’s IP addresses and streaming history… all while being completely undetected.

When they’ve collected enough data, they would sell it to copyright holders or law firms who would start going after people… even if just to make an example out of some.

How to Protect Yourself

So what’s stopping someone from taking advantage of this situation?  Nothing.

But, at least you can protect yourself.  Here’s how…

#1 – Uninstall These Abandoned Kodi Repositories Immediately

The below repositories are abandoned.  While some of them might still work, it may only be a matter of time before the developer lets the domain expire (at which time it might be too late).  Uninstall these repositories from any of your Kodi installations to hopefully avoid the above security and privacy risks.

  • Alpha Repository
  • Ares Wizard Ares claims to still be very active
  • Colossus Repository
  • DandyMedia Repo
  • Looking Glass
  • Mucky Duck Repo
  • Noobs And Nerds
  • Origin Repository
  • Pulse Build / Wizard
  • Smash Repository
  • Soulless Repository
  • SpinzTV
  • UK Turk’s Playlists Repo

To uninstall repositories in Kodi, go to the add-on browser > My add-ons > Add-on repository, select one of them, and then select “Uninstall”.

If it won’t let you uninstall a repository because you still have an add-on installed that depends on it, you will need to uninstall that add-on first.

#2 – Make Sure You’re Using a VPN

While the above list is helpful now, it may not be a complete list, and there’s no telling how many more repositories will be abandoned in the future.

But, if you’re using a Kodi VPN, you greatly reduce your risk of privacy invasion.  For instance, in the scenario with the honeypot sting, they might only be capturing your IP address which would be masked by your VPN.

To learn more, read my 4 Crucial Reasons Why Kodi Streamers Need a Kodi VPN.