Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

  • @vapeloki@lemmy.world
    link
    fedilink
    -721 days ago

    Maybe, just maybe, and nearly unmoderated repository where everybody can create packages, is not so secure after all? /s

    And AUR is the reason I keep arch miles away from any of my systems.

    • Strit
      link
      fedilink
      2321 days ago

      You do have the choice to simply not use the AUR. Has nothing to do with using Arch or not.

      And no one has ever claimed the AUR to be safe.

      • ghost_laptop
        link
        fedilink
        321 days ago

        yeah, it’s essentially, you want software that’s no the official repo go there.

    • Hemingways_Shotgun
      link
      fedilink
      English
      1021 days ago

      Nobody ever says the AUR is safe. In fact they say specifically that it’s not; for exactly the reasons you mention.

      That’s why it’s the Arch USER Repository. You take your fate in your own hands when you choose to use it.

      As for your comment about using a distro that has everything in the main repo? How so? Every flavour has software that isn’t included in the main repos. For Arch based systems, that means either the AUR or Flatpaks. For Debian based systems, that means adding new repos to your sources, which is exactly as unsafe as the AUR in most cases, or using Flatpaks.

      If you’ve ever added a repo on Ubuntu, than you’ve essentially used their version of an AUR. The end result is no different.

        • aichan
          link
          fedilink
          English
          320 days ago

          Ew, crypto-pilled adware Brendan Eich browser mentioned 🤮

            • @naught@sh.itjust.works
              cake
              link
              fedilink
              621 days ago

              There is an install script for linux front and center on the page (classic curl into sh). For other distros, they’re having you add their own repository and install from that. Just as sketchy.

              It’s unwise to trust Brave, anyway.

              • SayCyberOnceMore
                link
                fedilink
                English
                321 days ago

                curl | sh is the worst security front door I’ve seen

                At least check the script first so it’s understood

                  • SayCyberOnceMore
                    link
                    fedilink
                    English
                    221 days ago

                    Well, with the script at least you can follow the actions first, so it’s better…just don’t run it blindly because 2 minutes ago the attacker just put an additonal line of code in…

                    The executable / installer is more of a Windows thing and we’ve seen how that arms race is going… even Microsoft are trying to create a Linux-style repo called Windows Store.

              • @vapeloki@lemmy.world
                link
                fedilink
                321 days ago

                That was an example. And as someone who works in sec, I know the benefits of a package manager.

                “I only need to trust brave”.

                I don’t get it, static linking, curl to bash pipes and userepace install and everybody thinks that is fine. But as someone who needs to write a security concept for Linux in the office so I can finally use it at work, no that is not ok. That is shit.

                Rust on desktop is also a nightmare for example.

                No I do not hate arch, I hate concepts and mindsets creeping into the Linux world

          • @vapeloki@lemmy.world
            link
            fedilink
            119 days ago

            Security Research, software developer, strange hardware configurations.

            And of course Software I need is not including their deps