- cross-posted to:
- linux@programming.dev
- cross-posted to:
- linux@programming.dev
Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)
Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
…but Linux is more secure than Windows! /s
It is. And we don’t have spyware installed by default by our OS.
You run the same risks downloading torrents of games or porn on whatever OS you use. This isn’t really linux related, it’s related to downloading unverified files uploaded by random people online, which is what the aur basically is.
Which is why users are recommended to audit the PKGBUILD and related files before building and installing the packages. In the end, what happens during the installation of AUR packages are the users responsibility.
Yeah admittedly when i was still using Arch at the time i never read the PKGBUILD. For one i was still more of a newb who didn’t understand the PKGBUILD files yet, but it also didn’t seem to be as much of a problem back then (this was like 5 years ago or something). I don’t use Arch or the AUR anymore now though.
this affects only a fraction of arch users, and it would be impossible for it to work on nix systems for example, on top of that, this is basically npm’s fault
This is the same as an EXE having an issue and then blaming Microsoft. At least on Linux you have the option to not install from a 3rd party.
Well, but people do blame Windows!
And there you also have the choice not to install from any source, just the Microsoft Store.
Technically there is no such thing as a “completely secure system”
What Linux offers is the fact that by nature of being FOSS, there are millions of eyes on source code at any one time, and so potential exploits can usually be spotted and mitigated faster than waiting for the software maker to fix their own shit. And the fact that, in most cases with Windows, the call is coming from inside the house, so-to-speak; It’s the operating system itself that is malicious and anti-user.
To put it simply: Yes…linux can be attacked just like windows. But we live in an open-concept house with no hidden corners, and we’ve got a pretty great neighbourhood watch thing going on. Versus Windows users who live a house filled with cameras and alarms, surrounded by a giant wall that they can’t see over, and they have to rely on the security company to do anything about the burglar trying to get in.
I’ll take my chances with the community approach every time.