Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

  • Mactan@lemmy.ml
    22·
    7 hours ago

    To potentially prevent this entire class of npm attacks in the future, you could edit /etc/pacman.conf, uncomment

    # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg   =

    And set it to IgnorePkg = npm

    Your system should prompt you to accept installing npm because it’s in the ignore list. These packages set it as a dependency, so that gives you a chance to notice that something’s off and refuse the install. This assumes you don’t already have npm installed or need it for some reason.

    https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

    edit: word is that bun command is being abused as well and may be worthwhile including in the space separated list:

    IgnorePkg = npm bun