- cross-posted to:
- linux@programming.dev
- cross-posted to:
- linux@programming.dev
Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)
Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
I feel like this always happens to npm specifically. They’re definitely doing something wrong 💀
Could happen with pip too.
it’s the way it’s been setup; it needs a thorough revamping to make it as resilient as other supply chains.
not that other chains are bullet proof, it’s just that npm people need to up their game to be atleast as good as the others.