Malware RAT, Github AUR question?

There has been some discussion going on in this topic that might be of intrest to you.

1 Like

It was a pretty ā€˜honest’ form of malware I guess… clearly advertised and made pretty obvious. Posting about it on reddit was also an interesting move :rofl:

1 Like

Don’t forget to read the .install file as well if it’s listed in the PKGBUILD. It’s just a bash script which is triggered by install /update events and run as root so malicious code could easily be hidden there. I’ve never found any but I always look.

I’ve settled on Yay, Pacseek, and Octopi (in that order). I’ve also just read about Bauh, which looks interesting.
The blessing/curse of the AUR is that anyone can submit packages for distribution.

1 Like

yay -Syu pamac-aur (Is this good?)
Also how can one update without having to confirm -Y
Thanks :folded_hands:

You should not do this on an Arch-based distro.

You will sometimes receive prompts during an update that are important. You should always read them carefully.

4 Likes

The standard advice would be no, because it gives you pamac.
Pamac has known problems with parsing upgrades - sometimes forcing the replacement of repository packgaes with AUR variants as well as other issues.
Pamac is not a frontend for the standard package manager pacman.

When I last looked at bauh a few months ago it had hard-coded buttons for manjaro-specific tools (pacman-mirrors) and a number of the initiation buttons also forced partial-upgrades and/or forced refresh unnecessarily. So I would avoid it as well.

Its still up to any given user what to use. But both tools have known problems.

Still the only GUI that seems reasonable is octopi - a frontend for pacman and optionally supported aur-helpers like trizen and yay.

3 Likes

How was the Chaos Remote Access Trojan (RAT) discovered in those packages?

And will this is part of the news that is displayed with yay and/or pacman?

I’m still learning myself, but yay is an ā€˜alias’ as well as a command. Typing yay has the same effect as typing yay -Syu
I agree with cscs, you should avoid pamac since it was designed for Manjaro users and has had problems with EOS in the past. Octopi is a great GUI frontend for pacman, and I haven’t had any problems using it on EOS.
Honestly, you can’t go wrong using the preloaded commands in the Welcome-app.

2 Likes

When I started with GUI, I appreciated a graphic display which offered all possiblities… with the pamac GUI it seemed brilliant, search ā€˜plex’ and you can see any flatpaks, AUR entries alongside official repos.

However, it had serious issues actually parsing results - in short, it is crap for that - and that’s the ONLY good reason I can think of for not using a browser to search for software - especially when it’s already far superior for browsing software.

New discovery google-chrome-stable

https://www.reddit.com/r/archlinux/comments/1me632m/is_this_another_aur_infect_package/

Wow that’s no good

But then again ,what linux user want to install chrome huh ??

:grin:

1 Like

And this was one of the consequences we hoped not to manifest from all the low-effort news cyclers copying eachother and blasting the last story into the atmosphere. :face_exhaling:

At least it appears some folks have realized its a good time to be extra vigilant and taken it upon themselves to scrutinize the new ones coming in.

^^ silver lining indeed.

How can one check and confirm if Chaos Remote Access Trojan (RAT) has infected a linux machine? And how to disinfect the machine.

Some articles are saying to looking for entries in /etc/crontab. But EOS does not use it. Is there any info that can be used.

Also apart from being careful of what is downloaded from AUR, what are the other mechanism that can be used to prevent this infection?

Someone mentioned to try:

ā€œpacman -Q | moreā€ā€¦and view the list.

Also someone said to run ā€œtopsā€, if systemd is ontop then something isn’t right but im not sure as systemd is always part of the main processors like xwayland etc.

If we are just trying to view the entirety of the installed packages then probably add an extra q;

pacman -Qq

But we could search..

pacman -Qqs google-chrome-stable

We could similarly check history, which would not rely on it currently being installed ..

grep 'google-chrome-stable' /var/log/pacman.log

As to investigating or remedying fallout from possible infection.. I would need to know what it actually had/did. I dont have that information.

All of these tips are fine. But it still does not resolve the problem of having malicious and malware packages being uploaded into AUR. Also being wary of newly uploaded packages or packages updated by new users also does not solve the problems. The Bad actors will go after inactive accounts or packages to infect AUR.

There needs to be an alternative to this.

1 Like

It has always been like this, you’re supposed to be aware of what you’re doing with AUR packages, if not, don’t use them, there’s no point to complain.

Arch is not a distro for newbies, but it’s not that difficult to check the source in a PKGBUILD, if you’re unable to do it, stick to the official repos.

1 Like

There are a few
The easiest, Don’t install packages from the AUR.

Going to install anyway. Read up on what you are installing. Make sure it’s the package you actually want. Don’t know ASK. Why is it everyone wants freedom but no one wants the responsibility of such?

YOU are responsible for what gets put on YOUR system. IF you don’t know what your doing, Educate yourself.

2 Likes