Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

  • lemmyvore@feddit.nlEnglish
    32·
    9 hours ago

    Here’s the AUR recipe (PKGBUILD file) for a random package:

    https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nautilus-git

    This is a standard format for the recipe. It’s Bash code used to define variables and functions.

    You’ll notice there’s no place to sneak in a Python script. There is some brief Bash code in the functions but any major stuff would stand out immediately. So would an command that fetches a malware zip from a weird URL.

    Meanwhile, if you add node or python to the dependencies, and then run a command that installs a perfectly legit npm or pip module, nobody would bat an eye. It’s impossible to figure out that among the many upstream dependencies of that module there might be one that was subverted to discreetly run malware.

    AUR is a very bad idea tbh and should not be used by the faint of heart. It makes it entirely too easy to pull this kind of crap.

    • lofi@piefed.socialEnglish
      1·
      5 hours ago

      AUR itself is fine, the issue in this case is more with the automated system allowing anyone to take over orphaned/abandoned packages. This is a targeted attack leveraging that system.