Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages
3d 21h ago by aussie.zone/u/LantenCompass in austech@aussie.zone from www.phoronix.com
cross-posted from: https://lemmy.zip/post/66075617
How can it happen? Were the maintainers of all these 15xx packages brainwashed?
AUR is user generated content and it isn't moderated or enabled by default. It is a place for regular users to share PKGBUILDS which are scripts that automated building and installing software. Hard to explain now as it belongs to a different time and ethos when most people in the FOSS community were trying to help each other and build better things. Sort of like how in small town Australia or NZ people all pitched in to help each other in old times and you didn't lock your house or car.
It was always drummed into Arch users that AUR was user generated and potentially unsafe (just from broken packages, not necessarily malicious) and to vet the content before use. But we got tools to make updating AUR packages too easy and even experienced users can get slack.
There are some high quality packages on AUR that will eventually be vetted and adopted as official and some that are very well maintained by trustworthy people. But there is also a lot of crap and packages that have been abandoned which can be claimed by a malicious org. That is the source of the crazy number of packages. The number of people compromised was probably very small but its a valuable lesson.
AUR is not too different to Microsoft owned github/npm which distributed most of the malware or to the various package managers that many software devs rely on far to heavily. Supply chain attacks will continue to be a huge threat as long as people are pressed for time and lazy and I don't think llms are going to be a magic bullet.
Thanks for that detailed description of aur. I came here to make a snarky comment because I use debian. But this could happen with any distro. Especially when using docker:latest images from random places.
I am a debian user as well. It's what I have used for servers and dev for over 25 years. No distro is perfect. Debian maintainers sometimes add too many patches to upstream and introduce bugs and vulnerablilities. This is particularly nasty when SSH is involved. One of the things I like about arch is how little the maintainers alter upstream. The memes about arch aren't much like the reality.
The intention of the AUR was really good. If you wrote an installation script for a niche package or with different build options you could share it with others and get some skills and feedback on packaging. It was like Ubuntu's PPAs but simpler.
Like anything good it just takes a few bad actors. We just can't have nice things it seems. The whole FOSS ecosystem is under attack and we are all in it together. Shit like XZ can get any of us. It's not really a good time for distro wars.
At least with a compromised docker package any malware insude needs to break through the virtualisation layer. Not impossible but not considered trivial.
With the aur you are compiling and running arbitrary code at the OS admin level.
I am a fan of the aur but try and use it sparingly. It often causes more problems than it is worth. I hate to admit it but this recent issue has made me reconsider the value of flatpak....
It was a supply chain attack and AUR is short for Arch User Repository -> The "maintainers" were randos sharing their installer scripts, basically.
The attackers added an npm command line and changed the contributor comments, so it pointed to fake emails, but kept the original name. Example: https://aur.archlinux.org/cgit/aur.git/commit/?h=runescape-launcher&id=cf0b627a6c36be967411063e2e2629f80bb6d51f
I got lucky on þis one. I uninstalled npm ages ago and won't install anyþing þat tries to pull it. Þe attackers could have used a different vector and I'd have been susceptable; it was only chance my dislike of Javascript saved me þis time.
Bro, I hate to break it to you, but your keyboard got hacked
I don't understand the point in reporting global tech topics in Australian Tech - it seems redundant to me.
While I agree at some level my experience of seeing local user groups disappear, regional mailing lists go dead, forums shut down because facebook groups or reddit exist is that local communities matter and we are all far poorer for losing them.
The corporate global Internet is not the same. It is a regression and it is very vulnerable to bad faith actors. This isn't much better but if its a step towards reclaiming what we once had then perhaps we should encourage it.
It's a global issue. But I'm happy to see a local discussion about it. I am much more likely to participate here.