Malicious AUR packages

Aaaand I gave npm the boot. Turns out I don’t really need it.

To be very clear, even reading pkgbuilds will not protect you if there has been a concerted effort to conceal the package within a sub component or post build event. If you use the AUR, you do so at your own risk.

I never really used AUR much but I’m starting highly consider building the rest of the stuff I have from source :joy:

This is a contradicting statement. The AUR is “at your own risk” for the attack surface of the AUR provided install scripts. After that it’s a full stop.

HOLY SH*T Batman, that’s a huge list of infected(?) packages. Since most are deps I have no idea how to tell if I’m infected.

edit: yay -Ss | grep npm ?

And here I was proud for getting rid of flatpak thought I’d grab what I needed from the AUR. it’s only about 4 applications but still. this is nerve wrecking.

As a reminder,

pacman -Qm

will give you a list of what you have installed from the AUR. Add a q to supress version numbers.

How is this not the top news article on the main Arch site???

Because it’s not “The Arch Way”.

Because it’s always users fault, as were/are DDoS attacks.

And yes I know usage of AUR is at users own risk, but Arch’s team has some need for training on publicity. This rant of mine is simply frustration considering their utter lack of communication and victim blaming.

It seems Arch security notifications stopped around mid last year.

The recent vulnerabilities would have been appropriate candidates for entries here. It’s something of a mystery as to why they weren’t mentioned. Perhaps the person/s who had been looking after that section, are no longer able to.

Chaotic AUR affected as well…

They must be completely overwhelmed with all of the attacks; seems like it’s been non-stop for a couple of years now. I wonder if everyone involved with Arch is a true volunteer, because they could really use a paid publicist to handle these types of crises.

While I agree that they could use some training, I don’t think it would be enough.

Are we genuinely nit-picking at this level now, seriously?

Thankfully the Chaotic AUR managed to catch them in time, but the warning about other packages from the AUR not in the Chaotic AUR applies:

True, but in these cases the addition of npm is visible and an enormous red flag :red_square:

Assumed “Guilty Until Proven Innocent” when it comes to AUR.

That is, make sure the PKGBUILD is “Innocent”. Make sure the code you are building from is “Innocent”.

Now, it will come along someone to remind that, well, that is true about all software. Even those in the official repos where the code is not audited.

I know. That only makes the “innocent assumption” that some may have to be safe an secure running a system running on open source software totally irrational.

In much simpler wording, we may all be toasted at one point in time or another and perhaps without even knowing it.

Yeah, you should always check the pkgnbuild even if updating.

Is is such a fine statement. On days like this it feels attaching qualifiers to the million things that it doesn’t do and can’t be controlled by the user isn’t sending the right message.

Any info about how did this happen? So many packages with different maintainers and the commits seem to be under the long time maintainer’s name. Most of these packages are not even new.

Not Arch way, NOT OUR FAULT YOU STOPID n00b!!?!1! But still they share huge link to AUR :rofl:

This report says that it is orphan packages that have been hijacked:

But it’s all a bit hazy right now :confused: It would be great if after the fire is out, the Arch Linux maintainers do a full debrief on what happened and what steps they have taken to prevent/impede it happening again. But communication isn’t one of their strengths…