Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

  • vapeloki@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    21 days ago

    Maybe, just maybe, and nearly unmoderated repository where everybody can create packages, is not so secure after all? /s

    And AUR is the reason I keep arch miles away from any of my systems.

  • placebo@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    21 days ago

    attempt to download npm-based payloads during installation

    Why npm and not python? It’s installed on every arch system and wouldn’t bring unnecessary attention 🤷

    • ghost_laptop@lemmy.ml
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      21 days ago

      this is like the 4th npm vulnerability in months, they used that because npm is shit and easy to exploit

    • ghost_laptop@lemmy.ml
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      21 days ago

      this affects only a fraction of arch users, and it would be impossible for it to work on nix systems for example, on top of that, this is basically npm’s fault