Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

    • vapeloki@lemmy.world
      12·
      10 hours ago

      And then, where get I 70% of my packages I need? For example a useful browser like brave? Yeah …

          • naught@sh.itjust.works
            2·
            4 hours ago

            There is an install script for linux front and center on the page (classic curl into sh). For other distros, they’re having you add their own repository and install from that. Just as sketchy.

            It’s unwise to trust Brave, anyway.

            • vapeloki@lemmy.world
              1·
              4 hours ago

              That was an example. And as someone who works in sec, I know the benefits of a package manager.

              “I only need to trust brave”.

              I don’t get it, static linking, curl to bash pipes and userepace install and everybody thinks that is fine. But as someone who needs to write a security concept for Linux in the office so I can finally use it at work, no that is not ok. That is shit.

              Rust on desktop is also a nightmare for example.

              No I do not hate arch, I hate concepts and mindsets creeping into the Linux world