Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages - AOS for Lemmy.World - A generic Lemmy server for everyone to use.

202

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages

5d 11h ago by europe.pub/u/cm0002 in linux@sh.itjust.works from linuxiac.com

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (...)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

i long have been a fan of the aur and arch, but things like this make me consider debian again.

On Debian the equivalent to using the AUR would be adding 3rd party apt repositories or manually installing a .deb that you downloaded from some random site on the internet. That is just as vulnerable to the same kind of attack. If you stick to the official repos on Arch, you are just as safe as if you stick to the official repos on Debian.

One could even argue that arch is more secure by providing a central platform like aur, as that's what allows them to look for malicious packages now.