Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware
5d 1h ago by lemmy.dbzer0.com/u/Virual in linux@lemmy.ml from www.phoronix.com
As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if yay asks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.
I don't understand why there still no official announcement as a warning from the Archlinux team at https://archlinux.org/news/. Is there a different place for security news specifically about the AUR to subscribe to? EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/They did it, an official message.
The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn't notify people through official channels, only to find it later on /r/archlinux 🙄🙄🙄
since the 2022 grub incident, Arch has done a great job at notifying the news channel when "manual intervention required" AFAIK, and I don't remember any instances of Arch maintainers only notifying Reddit (and I don't think they notified Reddit for the grub incident either lol).
It's been 4 years already? WTF?
What are you using now?
After the end of Win10 I moved to arch but I think my week end will be filled with moving again. ^^
On my desktop, CachyOS 💀
It was years ago when Arch pissed me off, but I couldn't resist Arch-based distros forever. So far, I haven't been burned.
On my laptop, Asahi Linux, which is basically Fedora ARM with a custom kernel. I'd recommend Fedora to most general users.
They made an announcement though
the arch news channel is for breaking changes to arch pacakges (so not the AUR) only. maybe you could subscribe to aur-general@lists.archlinux.org.
They are actually putting a message on the regular news feed about the AUR! https://archlinux.org/news/active-aur-malicious-packages-incident/As it should be. It just took a bit too long in my opinion, as discussions are going on since yesterday.
I was hoping to subscribe with RSS. Not sure how to subscribe there.
it's a mailing list, so heads up, if you subscribe you're also gonna get other discussion like the forums.
https://lists.archlinux.org/mailman3/lists/aur-general.lists.archlinux.org/
Useful list for those who do use Arch; I've only got like two things from AUR and neither is on that list (although I kinda recognize a couple with slightly different names, like what, knock off plugins for official stuff?)
Ahh clearly Arch users didn't RTFM before installing shit. Skill issue.
PS: The above is an invitation to self-care, not an insult.
I must say, Read The Fucking Manual is a bit more clear than Read The Friendly Manual.
I disagree with the post you put here on a single thing: the manual is sometimes bad, by either not describing everything, or being unclear.
Is that worse than not reading it at all? Often it is a lead to something more useful
You know what? You're right
Best not to read any then, if it might be bad.
I've seriously gone through manuals in languages foreign to me and still learnt something from it.
My partner doesn't and will only use the basic features of tech. I read the manual, and I'm suddenly a wizard because I got two Bluetooth speakers to pair with each other and get stereo from them.
Reading the manual clearly won't help with the issue here. This is clearly not an appropriate use of RTFM terminology here, because it does not apply. The problem here is not that the user needs to read before asking for help. The problem here is to understand the changes made in the script are malicious. And reading the manual won't help with that.
AUR
The AUR is basically just a shortcut for downloading random shit off GitHub.
It gives un-experienced users a false sense of security.
The AUR is basically just a shortcut for downloading random shit off GitHub.
It gives un-experienced users a false sense of security.
As is "pip install" by the way.
The false sense of security is actually caused by people saying the AUR is the easiest way to safely get all your packages, when in reality the AUR itself tells you to always review PKGBUILDs and to not blindly trust AUR packages.
At this point, the count stands at 1500+ https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500
Wow that’s bad 🫢
There were announcements and security ping in the arch Linux community discord... But I wish they'd be more vocal on this outside discord especially given discords controversy as of late
Update: they finally posted about it in the arch news feed last night... A bit late but better than never. Npm removed the malicious package, but then the bad actors started using bun instead...
As others have proposed, I really think that orphaned packages should require a moderator of the aur to approve the commit and acquisition of an orphaned package. Currently nothing stops someone from spinning up accounts and hijacking these abandoned projects
Thee's a official Arch Linux D*scord?
No it's unofficial but it's I believe the biggest/primary arch Linux community discord .
In their roles chanel you can pick one to get security pings.. major ones are typically also everyone pinged but some have those disabled
You'll pry #archlinux from my cold dead hands
Maybe maintenance of packages shouldn't just be handed over to newly created accounts. This is a design flaw on AUR's part. As Linux popularity rises, these types of attacks will just keep growing. There should also be some sort of system where it is easy to verify that the maintainer of the package is also the actual developer. Like brave-bin has brave has the maintainer who are also the creator. Just give a green check mark to them or something.
"No way to prevent this" says only repository where this regularly happens
I am gonna get a lot of hate for this but the AUR flaws are hidden behind a legal warning of “At your own risk”. They just don’t want to take the legal consequences for this. That’s why there are basically 0 preventive measures for detecting bad actors and preventing malicious attacks.
I can think of some solutions:
- If a package is orphaned then let a potential maintainer just fork it and flag the original for deletion. So the user who has actually installed the old package and want an update will manually go out looking for the updated one instead of just doing a
yay -Syuone day and getting malware on the system. - If the developer and maintainer are the same for an AUR package, let them maybe add a ArchWiki style captcha, whose output can be added to the upstream repo like in
.aurverificationfile, which can be detected by AUR when putting in the upstream repo URL and the maintainer must verify with that captcha every 6 months or so just to prove active development. If they fail to do so, mark the package as abandoned or unverfied. - Newly created accounts will have a cooldown of a week to add a new package to the AUR (I don’t know if this exists already as I haven’t looked into it). And they can only create one repo in a month until a year has passed. They can takeover or fork orphaned packages only after a year and if they are maintaining at-least one repo of their own.
Or maybe don't use AUR blindly? You're doing the equivalent of sudo curl --- | bash. Who knows what the script is doing. So only do it if you truly trust it. That's why we have warnings plastered all over. That's also why a warning label and sticker exists. And this is precisely the reason easy no user input AUR helpers are greatly discouraged
That’s why we have warnings plastered all over.
Plastering warning labels everywhere is a cheap way to shift 100% of the accountability onto the user. Security should be built into the AUR's design (throttling new accounts, forcing forks for orphaned takeovers or maintainer-developer verification), not outsource your job to the users as a reading assignment before every system update. Humans are the final layer of defense not the first.
Or maybe don’t use AUR blindly? You’re doing the equivalent of sudo curl --- | bash... So only do it if you truly trust it.
There is a massive difference between blindly curling a random script from the open web and using a centralized, organized community repository. Yes AUR helpers are not recommended but they exist and are used by majority of Arch users and you can't expect the user to know code and pkgbuilds especially when distros like CachyOS make it so damn easy to install the OS with AUR being just a checkbox away.
You said it yourself that it is a community repository. No difference between that and the internet forum. You are putting the burden of accountability on the maintainer that way. Which I would remind you, is unpaid unlike say, github and npm that HAS a financial means to do a lot of security implementation. Yet those platforms still fail to do it.
Also, humans ARE the first layer of defense. Because anything you do on your device (on linux anyway, and specifically arch) is YOUR decision. Antivirus and everything else should kick in when the human fails.
You are normalizing people downloading things off the unvetted internet like on windows. Linux has a vetted repo already. THOSE are what people should be using and I'm fine with if those are being blamed. Everything else is USER due diligence. That is why the existence of easily installing malware like limewire does not justify blaming the platform. Or do you also blame torrenting site when they are chock full of malware?
Fine agree with all of what you say. But still the AUR is the only repo where this happens majority of the times. So what to do next? I am sure the solutions I mentioned in a comment below are not that difficult to implement.
Sure, your proposed solution is a good way to weed out the low hanging fruit. But I don't like that it may create friction for normal users. AUR was never meant to be a FOSS project on its own with a full time maintainer that maintains PKGBUILD and the infra.
Like I said before, it is more akin to an internet forum and pastebin more than a full fledged package repository. And to be fair, it isn't a package repo anyway. It's like a cmake / makefile sharing site. Building and packaging for arch is just that easy compared to say, debian.
If people want to use a repo, there is chaotic aur. Maybe that could be the way too. A dedicated community project to vet the AUR. Or the project maintainer itself could provide a pkgbuild directly on their repo.
Just don't ever blame the maintainer for providing a place to store something for free and open to anyone. Especially if it is your choice to get something from said place and be surprised that it is malware.
Maybe maintenance of packages shouldn’t just be handed over to newly created accounts. This is a design flaw on AUR’s part.
That is the whole purpose of AUR, users can create and share packages with minimum fuss. That does not mean that it is a good idea to run the code of some random guy on your computer.
But open source has always worked like that, by code sharing and collaboration - on tapes, on FTP servers, on Sourceforge or github and today on codeberg. The way the Arch User Repository (this is AUR spelled out) makes this easy is great!
Just don't run random code that you don't understand, and cannot reasonably trust.
Just don’t run random code that you don’t understand
I don't understand any code so does that mean I shouldn't use any software? that is 99% of the world.
whole purpose of AUR, users can create and share packages with minimum fuss
This doesn't take away responsibility away from the Arch team. I can manually review pkgbuilds all day trying to understand no problem but expecting the user to do it every update is stupid. At some point the user will just start to trust that package maintainer. I already mentioned few steps that the Arch team can take in a comment below.
This doesn’t take away responsibility away from the Arch team.
The Arch team is not responsible for this code.
And to add, demanding to do more work from volunteers which already do a lot of work for free is rude. If you want something done - do it yourself.
I am not talking about the code. I am talking there are basically zero security measures.
Edit:
Demanding to do more work from volunteers which already do a lot of work for free is rude. If you want something done - do it yourself
Then don't make the platforms in the first place. This is such a stupid argument. It's like someone creating a nuke but then ignoring the security measures and telling the rest of the people to take care of it. Genius. Should stop asking people to switch over to Linux as well then. Might as well I should just start bad mouthing and defaming Linux because users are left on their own by a hostile community.
I don’t understand any code so does that mean I shouldn’t use any software? that is 99% of the world.
Not from AUR.
Without the AUR Arch becomes a third world country distro because the official repos have only the basics.
Without the AUR Arch becomes a third world country distro because the official repos have only the basics.
Arch has 17,000 packages and is one of the largest distros. If you want more, you can use Debian, or perhaps Ubuntu if you really need non-free drivers and codecs, (or maybe NixOS, which has a fuckton of packages, but you won't get the same quality).
And what do you need so many packages for?
And what do you need so many packages for?
Zen Browser, Elecwhat (Whatsapp -- which is recommended in Arch Wiki), Razer peripherals drivers, heroic games launcher.
Whelp...I've REALLY loved EndeavourOS for my laptop, especially because I felt I could mess around with stuff, but maybe this is my call to use something like Fedora or a OpenSUSE variant (I love Tumbleweed dearly).
Nothing against the incredible Arch, but I'm deffos that user who does
> yay
> "Build files exist. Do clean build? N"
> "View changes? N".
ENTER.
I want to learn, but also I'm a bit of a danger to myself if this malware threat is this broad.
Opensuse is great, been daily driving it for 1.5 years with no issues (issues were solved by booting an old snapshot and rolling back, updating again 2d later)
OpenSuSE also comes in two flavours, Leap (a stable release) and Tumbleweed (which is rolling release and sligthly less bleeding edge than Arch).
You can even run Opensuse stable, and in a VM on top Tumbleweed to have a system where you can safely try out new stuff.
There's also Slowroll which is Tumbleweed but like 1 week behind in updates for a stable experience, and there's some immutable flavour that I forgot the name of.
I'm using Tumbleweed, the one issue of rolling release (things occasionally breaking) is not an issue since OpenSuse natively supports snapshots (and automatically makes a snapshot before and after every update).
Something breaks? Reboot -> Boot from read-only snapshot -> selecting the one from before the update -> in terminal: snapper rollback -> done. Update again 2d later.
I’m using Tumbleweed, the one issue of rolling release (things occasionally breaking) [...]
My 5 cents is the risk of breaking is overblown in many cases. Of course, you don't want important servers to break. But I am running Debian since 15 years and in fact, for me it broke more often than Arch, for example because of GNOME issues, or NVidia issues. And well that's a biased sample because I use Debian for a larger proportion of time. I think for desktop users, it matters more to have a backup system.
Yes, the only thing that ever breaks for me are my nvidia drivers (specifically if there arent new drivers for a new kernel yet). Sometimes I don't roll back and just keep it, but often I'm using local AI for uni stuff so I roll back to fix them.
I solved that one by buying an AMD radeon card. Zero fuss since then.
Have you heard about the recent fuckups of fedora? fedora is a shitshow.
If you just yolo with yay anyway, you will get compromised on any system you use, ni matter the OS or distro, my dude.
Have you heard about the recent fuckups of fedora? fedora is a shitshow.
Oh really? I guess I haven't. 😬
Yeah it was late here so I think I was poorly mushing two separate thoughts together there. I meant I was thinking of moving to a distro that isn't as bleeding-edge for the laptop I'm not updating every single day...But also I should find something that still has a nice large software variety so I stay off AUR.
OpenSUSE has the "Open Build System" which I've used for like one package. So that's pretty neat.
This is really tough because I have two gamers in the family using Nvidia cards I want to help move off of Windows, but I don't want them running into having to roll back as often as I have or fiddle too much, but I feel like Mint is a little too far behind.
So I was considering the KDE spin of Fedora for them...But yeah, the answer isn't so easy anymore lol.
Could you elaborate wrt Fedora being a shitshow? It's my daily driver and I haven't experienced any kind of instability and (to my knowledge) I have not been compromised.
How do I check if a system has been affected most easily? As far as I have seen it's related to the npm package atomic-lockfile, so would that be enough?
npm ls atomic-lockfile
I learned 10 years ago not to use aur helpers because they hide the sources. Aurutils + vifm baby!
Maybe someone here can advise. I ran two of the available "checking" scripts to see if I have any packages installed. Both came up with 1 package I have installed. It is gtkimageview, which is on the list.
However, if I look through the pacman.log I see it was installed on 2024-10 and last upgraded 2025-01. It seems to me that suggests I installed it before this all started, so I'm probably not infected?
Dang, if only their packages were more up to date maybe this wouldn’t have happened.
(btw)
(hopefully this doesn't read as blaming the victims instead of the attackers but) I personally don't think it's that complicated to read the updates to AUR packages. It's not any more hard than only commenting after reading the links that people post here instead of just the headlines—which we all do, right?
i wouldnt know where to get the info in the first place. when i use windows update i also dont reed any changelog because that shouldnt be the users job but the suppliers
As an avid user of the AUR, you'd be correct if you were downloading from the official arch repository. But you aren't. AUR is basically like downloading from github. The only "guarantee" you get is from whoever put the package up and its up to you to determine if they're trustworthy.
The whole point of the AUR is that it's just random people's code. There is no supplier here. If you don't know where to find that information, you really shouldn't be using AUR.
In an ideal world yes, but I needed some software that was only available via AUR and if the official guides tell me I can install it via AUR I will.
that is indeed the official guides' fault if they're not in charge of helping maintain the AUR package. not the case for most of the infected packages here other than notably alvr, though.
windows update doesn't force you to take a look at the changelog. most AUR helpers do so you better bet that it's important
This is why I use NixOS
Guix on top of Arch, replacing most of AUR packages is also a good alternative (with less involvement of US military companies, more context here, and a nice minimalist configuration language).
Both Nix and Guix can be installed on top of Arch and work as an extra package manager.
Plus Guix is a GNU project and GNU projects are both very open to modification and hacking own stuff, and fairly security-conscious.
It has one fly in the ointment: Guix is really not built for distribution of binary packages of closed-source software (all package definitions build initially from source), and that's why some companies hate it. But for me, this is a plus.
Yes, that's a good alternative. I actually used to do it myself before going full NixOS. Also I kind of missed the whole Anduril drama. I'll see what it's about. Been a while that I've wanted to try out Guix anyway.
AUR
Play stupid games win stupid prizes I guess.
Also keep in mind that Arch is (differently from FOSS diehard people like Debian maintainers) quite permissive in what it accepts. This might be comfortable to get some hardware running, but with this you get also stuff like Brave Browser in the software directory which, how do I say this, might not be the best choice for privacy.
So,if you want privacy and safety, you should have a good look at what you install.
AUR is not Arch maintainer vetted repo tho. Even librewolf is not in the arch repo.
The closest equivalent of AUR is PPA/launchpad
AUR is not Arch maintainer vetted repo tho.
Oh, of course. I didn't repeat that, because this is is clearly stated in the docs and should be well known now.