Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages
Posted by qwertox 4 days ago
Comments
Comment by anthonj 4 days ago
I've installed stuff from the aur before but most of the times I prefer to skip the middleman and just navigate to the project website. A premade pkgbuild is not convenient enough to take the risk of typoquatting or the tactical npm or pip dependency.
Comment by OJFord 4 days ago
(It's a bit vulnerable to it on first install, but so is 'just navigate to the project website [and click download]'.)
Comment by anthonj 4 days ago
Git repo have been attacked other times in the past, but a 500/1000 stars project still sounds more trustworthy than a user repository managed by randos with a couple of upvotes. I still use the aur for simple cases, but when I see aur packages depending on multiple other aur packages I immediately leave.
Comment by feelamee 3 days ago
Comment by OJFord 2 days ago
Comment by zenoprax 4 days ago
After using Void Linux I switched to `aurutils` to get a similar separation on Arch. I can easily maintain a local AUR repo by compiling/making my own binaries and can use `pacman` to install and manage them which improves the upgrade process overall.
Comment by recursivegirth 2 days ago
I have the complete opposite experience. Arch makes it easy to get in and get hacking right away. Their beginner guide's on the wiki were a gem 10-15 years ago... made it super easy to get up and running. I don't have the time these days to tinker - but boy do I love some Arch.
Comment by Grombobulous 4 days ago
The pacman wrappers you mention are crazy, though.
Comment by anthonj 4 days ago
Also if the software is downloaded in the form of a git repo, you only needed to checkout the new tag and rebuild, don't need your browser at all.
Comment by mananaysiempre 4 days ago
Comment by bitmasher9 4 days ago
Comment by saghm 4 days ago
Comment by bitmasher9 3 days ago
Makes sense that the most popular AUR packages will be candidates for the main repo.
Comment by saghm 1 day ago
I understand that having a relatively small number of people maintaining a large number of packages makes it burdensome to manually update everything, but on the other hand, nobody asked me before promoting the AUR package I maintained to the main repos, and I would have been happy to keep doing it indefinitely! I'm not a "official trusted contributor" by any means, but I also know that I would have kept doing what I already did for years in exactly the same way without any issues, so I can't help but feel a bit like like a known good with hypothetical risks was thrown away for something that will produce at best the same results with less severe but more concrete risks. I wish I had a solution for not getting stuck at that local optimum, but incidents like the one in the article will only make it more of an uphill battle.
(edit: to clarify, I'm not proposing that the package should have been left in the AUR, but that I wish there were a way for them to have just let me keep maintaining it as an "official" package. Maybe something like the kernel model where someone trusted could vet the PKGBUILD updates I do and decide whether to merge them or not rather than doing the same but with a bot, and then maybe not noticing that the bot is silently failing...)
Comment by BobbyTables2 3 days ago
Tutorials using them are so widespread… Start feeling like a weirdo for not wanting to give an unknown rando full indefinite root access to the system, with virtually zero peer review… all to install one version of a package where updates are undesired or infrequent…
Comment by KetoManx64 2 days ago
Comment by pixelpoet 4 days ago
Perfect demonstration!
Comment by mqus 4 days ago
Comment by anthonj 4 days ago
Of course the process breaks down for a large amount of packets, but I've never been in that situation. In part because the official repo is already large, and in part because I like minimalism.
If that even became an issue, I would manage a personal set of pkgbuild probably.
Comment by qudat 3 days ago
Then I just update when I need to update
Comment by beej71 3 days ago
Comment by Charon77 3 days ago
Comment by aftbit 4 days ago
I should be able to set a minimum package age just like I can with pnpm.
Orphaned packages should not be adoptable by just anyone. Maybe there should even be a global rate limit on this as a sign of attack.
Someone or something should vuln-scan these packages as they're published, as a number of companies do for NPM now. That would likely have found these pretty quickly.
Most of these are not changes to be made by the AUR maintainers, but rather by packaging helpers and 3rd parties.
Comment by whateverboat 3 days ago
Comment by no-name-here 3 days ago
Comment by whateverboat 3 days ago
It is also an explicit signal of someone different taking over the ownership.
Comment by TingPing 4 days ago
Comment by aftbit 3 days ago
yaourt
yay
paru
Comment by gavinhungry 4 days ago
I recently worked up a patch [1] for pakku [2], after being inspired by pnpm.
[1] https://github.com/gavinhungry/patches/blob/main/pakku/pakku...
Comment by embedding-shape 3 days ago
Why not? I agree some limits should be added, but also shouldn't be too limited, then lots of things that could be properly maintained, won't. Maybe limit adoption to one package a month or something, to users registered since some date. But no one has automatic (& unreviewed) updates applied to their locally installed AUR packages (that'd be utterly bananas) so the attack vector is already pretty small here.
Comment by cookiengineer 3 days ago
No. It wouldn't have. That's the whole point of the miasma worm, because it changes too fast in its signatures and helper methods. The encrypted malware implant uses a changing AES-128-GCM key that's used to decrypt the payload, and that key is per-where-it-is-uploaded on GitHub. The code itself is dynamically renamed in its methods, re-used shuffled offsets for encrypted symbols, among other things. It's a mutating malware and the worst enemy from tools that rely on signatures.
Ironically, APT28/29 is somewhat relying on Microsoft being too slow to auto block users and repositories on GitHub that are the C2 infrastructure. Think about that for a second what this implies for your cyber strategy.
By the time you're able to scan signatures or "strings" you're already playing a cat and mouse game with a fully automated botnet, which you will never win. The only other ones I've observed during the last week that seem to be able to track this malware implant's changes were socket.dev. ALL other supply chain tools didn't even know about Miasma and re-invented it as a new campaign. They didn't have the skilled enough people nor toolchain to reverse the malware payload quickly enough to be able to keep up every 24h when they push out a new adapter for another ecosystem.
By fully automated I mean they're already using the credentials they stole less than 48 hours ago from a different package ecosystem, because the email addresses and names etc keep appearing from people who likely didn't even understand the impact of this self-spreading worm.
And having an IOC that checks for, let's say, any package that depends on bun won't help either because the malware will just use external means to re-download it. See the second PyPi campaign, where they just changed the dropper to use compressed WHL files and the setup.pth files that are auto-executed to download the dropper. They changed this after the PyPi maintainers flagged the first wave of malware droppers from the RedHat campaign.
As long as the package managers in those ecosystems aren't fully rewritten from scratch to accomodate for chroots, sandboxes, network and domain logs that are _only allowlistable per entry_ this won't change, and will stay being a feasible malware deployment strategy for supply chain attacks.
Repo for Mitigation Tool (I'm human so I play catch 21 with an LLM powered botnet) [1] ... Tech details in the blog post [2]
Also this is a problem across all package managers. Composer is also affected. Rubygems is also affected. NPM is also affected. PyPi is also affected. Go is also affected.
Nobody is talking about this, and I think this should be more openly discussed how much negligence and external trust we put in package managers in general. This really needs to change.
[1] https://github.com/cookiengineer/antimiasma
[2] https://cookie.engineer/weblog/articles/malware-insights-mia...
Comment by aftbit 3 days ago
1. Orphaned package adopted
2. Has post-install hook added
3. Which uses npm or bun
Yes, you're right - detecting this could have led to a more sophisticated attack. Security is always a cat and mouse game. The purpose isn't to stop every attack - it's to raise the costs for attackers and the visibility for defenders.
Any attacker who wants to attack 1000s of packages is going to necessarily leave some signatures, unless they're extremely careful. If they change one thing but not another, you can tie them both together.
Think of this like email anti-spam. It hasn't gotten rid of spam, but it has made it much more expensive to operate.
Combine this with a minimum package age to give the scanners time to run and humans time to inspect, and the ecosystem as a whole gets much more secure.
Comment by irundebian 2 days ago
Comment by mkayokay 4 days ago
Didn't find any quick info on how to check a system, so I ran the following command to find foreign packages and some date related infos:
> pacman -Qmi
Check the output against the list of affected packages.
Then, you can also grep for those files in various locations: > grep -rl "atomic-lockfile" / --include="package.json" --include="package-lock.json"
> grep -rl "atomic-lockfile" ~/.npm 2>/dev/null
> grep -i "atomic-lockfile" /var/log/pacman.log 2>/dev/null
Don't know if the packages delete themself after they run. I just wanted to provide some basic commands, as all the other infos I found didn't provide any help.
Comment by shlip 3 days ago
Get a list of installed packages originating from AUR using 'yay' :
yay -Qam > packages_aur.last
curl https://md.archlinux.org/s/SxbqukK6IA/download > compromised.txt
grep -wFf compromised.txt packages_aur.last
Comment by galleywest200 3 days ago
libgdata 0.18.1-5 qt5-3d 5.15.18-1
Comment by bilkow 3 days ago
Only packages from AUR have been compromised, meaning a normal update `pacman -Syu` won't install them, they'll only be installed by `makepkg` or AUR helpers (such as `paru`, which asks you to review the PKGBUILD diff).
Also, if you had installed a compromised version, uninstalling the packages is not enough, you'd probably need to reinstall your system and rotate all credentials. More info here and on the linked blog: https://discourse.ifin.network/t/400-aur-packages-compromise...
Comment by galleywest200 2 days ago
Looking at my pacman cache both of these versions existed on my system before June of this year so I think I am okay.
Comment by stefan_ 4 days ago
Comment by jeroenhd 4 days ago
Comment by DavideNL 4 days ago
Comment by quertyrecord74 3 days ago
Comment by embedding-shape 4 days ago
`rua` and other similar CLIs make it really easy to review the packages before installing them from AUR too, and if you are doing banking on the same computer, you really have no excuse not to review the software you depend on. Keeping the amount of packages low, only use what you need, also makes this a whole lot simpler when it's time to upgrade.
Comment by blcknight 4 days ago
Comment by yowo 4 days ago
If you crash your car, you are liable for the accident. If you aren't ready for that, take the bus.
More power = more responsibility
Comment by badgersnake 3 days ago
Because I didn’t go through all the blueprints and find the flaw that led to the crash. This is a dumb argument. It’s also the one the AUR appears to be making.
Comment by homebrewer 3 days ago
If this is not for you, that's fine, but it's been working very well for some of us for... decades, at this point? I'm not amused by the amount of people here wanting to turn arch into another Ubuntu, most of them having zero familiarity with how the AUR works, or arch more generally.
Comment by Barrin92 3 days ago
but it's worth asking why it's been working well. Has it been working well simply because it's been a niche ecosystem, or even because you wouldn't have known if it didn't because nobody did security audits?
The Arch distribution model, which operates like the Javascript ecosystem, as in having a barebones core and then a zoo of unregulated third party community packages does not seem fine these days. As it became more popular it has naturally drawn attention and from that moment on you're just screwed because you have no security infrastructure. Arch pretty much lived off security through obscurity.
And in particular with the popularity of these spin offs, I forgot what the name of the tiling wm thing is that got very popular, I think a lot of users are not aware that they're doing the software equivalent of buying medicine off craigslist
Comment by embedding-shape 3 days ago
It's hard to take the rest of your comment seriously when you don't seem to have a basic understanding of the parts involved here. Arch's distribution model isn't at all like npm (which I guess is what you're actually talking about here), but the AUR specifically is pretty similar to npm. But the AUR isn't Arch's main distribution model, and the official Arch repositories contain a ton of packages in the core, so not even the "barebones core" is correct here.
Arch has pretty much lived off the experience of its users, which is the entire purpose and value-proposition of the OS. You want someone else to be responsible, you're welcome to use the countless of other distributions, Arch is quite literally not the OS for a "Don't read anything and press Update, hope for the best" experience, and I hope the core team continues to push back against that, which they've done for decades at this point.
It's sad, because overall you have a point somewhere there but the big misconceptions kind of hide that message though.
Comment by Barrin92 3 days ago
I don't think that narrative is supported by the numbers. Arch's repositories are about a magnitude smaller than either the AUR or "batteries included" distributions like Debian. (about 10k to 100k packages), there are more people using Arch derivatives than arch, and according to some community polls, granted I can't verify their methodology, something north of 90% of arch users use the AUR.
If you look at the most popular packages in the AUR, it's the most popular web browsers, virtually every VPN client, popular professional software like davinci, incredibly popular messaging clients, Spotify, Zoom, billion+ userbase software and the vast majority of password managers.
And if you look at who maintains those, it isn't the company, in many cases it's a random pseudonymous user who doesn't show up on Google. And I don't get this strange aggressive tone of suggesting I use something else. I do already, because as should be obvious I think that's a bonkers security model, but it deserves to be pointed out.
I do not think that the majority of people running arch today in practice realizes that their password manager they installed from that repo everyone uses is managed by an absolutely random person on the internet.
Comment by embedding-shape 3 days ago
Why are you looking at numbers? Arch Linux's official way of distributing software to it's users are the repositories called "core", "extra" and "multilib", anything else than those are "unofficial" and user's responsibility to how they handle it. No need to look at any numbers, literally go to Arch Linux's website and read how it works if you don't know since before.
> there are more people using Arch derivatives than arch
May be, find it hard to believe that's true outside of gaming, but regardless, that doesn't mean suddenly the AUR becomes safe. And if the complaint is about how these Arch-derivitives educate their users, go to their message boards and share this, that has little to do with Arch Linux itself, literally why there are multiple distributions in the first place.
> something north of 90% of arch users use the AUR.
Yes, like me, and probably every other Arch Linux user. I'm sure every developer on macOS at one time uses the terminal, does that mean "rm -rf" suddenly needs to go away?
> it's a random pseudonymous user who doesn't show up on Google
So what, why it matters? All that matters is that the package does what you expect, and use official sources if that's the point. My password manager's AUR package is built by someone I don't even recall the username of, is this a problem in practice? No, because I do what my OS tells me and reviews random 3rd party software I download from the internet. Every time I upgrade, I see that the only thing changing is the URL which points to the official domain, and a content-hash, that's it. The user could be a pirate in Somalia for all I care.
> I do not think that the majority of people running arch today in practice realizes that their password manager they installed from that repo everyone uses is managed by an absolutely random person on the internet.
I think if you look at a certain sub-section of users who install and do things without thinking, you're absolutely correct. But I don't think the rest of the user base who uses Arch for the very value proposition it offers, should suffer because there is a small sub-section of users who install OSes based on what influencers are pushing to their viewers today.
Comment by naturalmovement 4 days ago
It's an uncontrolled free-for-all disguised as a watering hole. If they can't do the most basic of housekeeping it should not exist full stop.
Comment by zeta0134 4 days ago
The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR.
The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile?
Comment by a-dub 4 days ago
it would be better if there were stronger community moderation and review that has stamps i can trust rather than this idea that eyeballing build scripts is a reasonable security posture.
Comment by embedding-shape 4 days ago
Ok, so instead of having a reasonable security posture yourself, you'd rather rely on a number of random strangers who've eyeballed the PKGBUILD instead?
Generally, I think Arch tries to prevent users from relying on bad signals, and this principle might be applied here too.
> i read all the pkgbuild diffs, still doesn't give me a good sense. sure,
Do you have an example of a diff that doesn't give a good sense? I review all my diffs too, but I feel like all of them give me a good sense if it's safe to install or not. I mean, why would I otherwise, what's the point in reviewing if you don't use it to make a decision if to install it or not?
Comment by a-dub 2 days ago
Comment by embedding-shape 2 days ago
What else do you have to review? Both in the cases of binaries and source, the idea is that you trust upstream already, otherwise you shouldn't install software from them. And since you trust upstream, the only thing you need to review in the PKGBUILD is quite literally: Where is this stuff coming from, is it the official domain/repository? Are there other non-official dependencies? Are there patches applied?
Once you've reviewed those, you're done, and as safe as if you installed straight from upstream, zero false sense of security here.
You're mixing concerns here, as what you describe is completely different issue.
Comment by a-dub 2 days ago
there is work involved in figuring out how to get the complete diff of the code and dependencies that are included in the change, plus review time. this could range anywhere from 5-10m to 1h per package updated- if not more.
Comment by zyuiop 4 days ago
Comment by matheusmoreira 4 days ago
The only way you could possibly not be aware of the AUR's nature as an "uncontrolled free-for-all" is if you didn't read the Arch Wiki, and anyone who doesn't read the Arch Wiki should not be using Arch Linux to begin with.
"Uncontrolled free-for-all" is exactly the status quo of programming language package managers such as npm and pip. It's just as easy for total randoms to sign up for an account and push packages on those services as it is to push a package to the AUR. Only the AUR made the lack of trust explicit and part of the culture.
Comment by Hackbraten 4 days ago
PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages.
> available through the OS's repos.
No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page.
Comment by naturalmovement 4 days ago
Comment by embedding-shape 4 days ago
It'd be more like a public toilet anyone could urinate in, and you lick the floor right next to the toilet and then is surprised that it tastes like pee. Of course there is pee on the floor, anyone can pee there!
Comment by neoCrimeLabs 4 days ago
Meanwhile one of the other customers has norovirus and is deliberately touching everything so others contract it.
Comment by kcyb 4 days ago
Comment by naturalmovement 4 days ago
Comment by embedding-shape 4 days ago
Jokes aside and just in case, you do realize ports and AUR have two very different models? Ports is more similar to the official Arch repositories, which obviously doesn't suffer from the same problem, and AFAIK, there is no BSD-equivalent of AUR.
BSD is cool and useful for lots of reasons, but comparisons based on misunderstandings helps no one :)
Comment by joveian 3 days ago
Comment by embedding-shape 3 days ago
Comment by joveian 3 days ago
Comment by Gigachad 3 days ago
Comment by echelon_musk 4 days ago
Comment by t-3 4 days ago
Comment by bethekidyouwant 4 days ago
Comment by embedding-shape 4 days ago
Comment by jolmg 4 days ago
You find one that builds from source, or you still review PKGBUILD and friends and lean more on evaluating the reputation of upstream and its maintainers, or you simply decide never to install binary packages. Your policy is yours to decide.
> Putting this on users is not a tenable solution.
The alternative would be to not have an AUR. Archlinux has official package repos where packages are vetted. The AUR (Arch User Repository) is not that. The AUR is there to provide greater variety of software than the official repos can, and it does that by not incurring the cost of being individually maintained by volunteer Arch staff and developers. It needs to not incur that cost for it to exist, otherwise it'd just be the official repos. It's like github, but limited to repos with PKGBUILDs.
Comment by embedding-shape 4 days ago
And in this alternative past/future, everyone is using GitHub to host their PKGBUILDs instead, then someone gets tired/lazy and builds one repository that indexes those, and we have ArchPacBrewRepository or something, and very same issue appears again, unless people change their approach to installing random 3rd party software.
Comment by Gigachad 3 days ago
Comment by gchamonlive 4 days ago
Comment by embedding-shape 4 days ago
First, very easy one, we want to install Brave, so we find https://aur.archlinux.org/packages/brave-bin. All the dependencies are in the official repos already, so those we trust already, you open the downloaded PKGBUILD and you find it's downloading a binary from github.com/brave, you check to see it's the official GitHub profile/organization that you expect. Quickly scan prepare/package for anything out of place, like downloading more files not defined in "source" or whatever. In this case, "suid sandbox" stuff should make you investigate closer so you understand what that stuff does, many things related to Chrome has things like that. That AUR package also has a brave-bin.sh, so a look through that would make sense. AFAIK, everything checks out, this is literally just downloading the official release from GitHub, and extracts it into the right place, so if you trust the GitHub org/user, you can trust the PKGBUILD. The PKGBUILD also seems to be officially maintained by Brave themselves, so probably already there you can verify the AUR user and be done if you feel lax.
Second example is unofficial package, https://aur.archlinux.org/packages/lmstudio-bin, maintained by noureddinex and created by MadGoat, neither which seem official at a glance. Read through the comments to see if anyone else flagged anything, seems fine so again go read the source of the package and the PKGBUILD. PKGBUILD seems standard, downloads something from "installers.lmstudio.ai" so first thing to check is if that's actually the official website, so use search engine to find official website, copy the URL of the download, verify it's the same. In this case, lmstudio.ai is the real website, but download URL on website ends up being "https://lmstudio.ai/download/latest/linux/x64" in the HTML/DOM, so use "curl -v -L $URL" to see redirects, and then we've confirmed installers.lmstudio.ai is actually what they use for official releases. Read through "prepare" and "package", both seem standard and fine, then look through the rest of the files, all of them seem fine, mostly maintenance scripts for the AUR package itself. Package seems fine as a whole, and we could install it, if we're willing to review it again on upgrades in the future.
This is basically all you have to do. Writing what I did while doing it, made each "review" take maybe 5-10 minutes, and it isn't harder than that, regardless who the user is. You just need to know what to look for, and think how you'd "officially" install it anyways. And if what the PKGBUILD differs from what you'd imagine an "official install" would do, investigate if it makes sense and if not, don't install the package, maybe leave a comment for others in AUR to dive deeper.
Comment by xnzakg 4 days ago
Comment by embedding-shape 4 days ago
I recall the same situation recently with yt-dlp, as they started to depend on a JS engine for some captcha stuff or related. So when you see that, you need to adjust the mindset of "ah whatever it's probably fine" to "Ok, why are these changes actually here?", and if it's not worth reviewing, you might want to reconsider the approach of installing random binaries from the internet that are flagged as unreviewed.
Comment by clickety_clack 4 days ago
Comment by glitchc 4 days ago
I'm willing to bet you yourself have read <1% of the source code currently running on your computers. Does this mean you have stopped using your computer(s)? How can you trust anything that happens on them?
Comment by sam_lowry_ 4 days ago
I review them every time I have to install from AUR.
Comment by Slothrop99 4 days ago
Comment by sam_lowry_ 4 days ago
I installed dwm from AUR once, then Prusa slicer.
Dwm PKGBUILD lists patches, so it's kind of obvious one needs to check them to choose what patches they want.
Prusa slices is downoaded from the official website.
I think you live in a different world ;-)
Comment by bawolff 4 days ago
Comment by exceptione 4 days ago
> And what if upstream is problematic?
It would be better if software would be forced to have something like a very advanced manifest file, with requested permissions. Malware has to eventually communicate with endpoints, so a declared whitelist of endpoints should definitely be part of such a manifest. Some wrapper program could set up a namespaces that allows just what is requested. Any software that requires `endpoints = [.*]` would make it obvious to the user that it is a really dangerous piece of software. Your code editor should not ship like that.
The first thing I can think of in this direction is flatpak, but that is really coarse grained, with defaults that are very lax. Also flatpak-like solutions do not expose an api to the wrapped application, which is both a pro and a con (a con when you consider installing application plugins requiring further permissions).
Comment by Hackbraten 4 days ago
Then don’t install the package.
It’s on you to decide whether you trust upstream or not.
You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.)
The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you.
Comment by exceptione 4 days ago
Do you know how? This sounds like an unpractical high amount of time consuming task.
Comment by embedding-shape 4 days ago
Comment by exceptione 4 days ago
Comment by prmoustache 3 days ago
The same as when you install any software on macos or windows, even proprietary ones, that may themselves depend on third party libraries.
At every stage of development there is a possibility of malicious code being introduced.
Comment by matheusmoreira 4 days ago
Comment by dbgobrrr 4 days ago
I think this stance should be re-evaluated. Arch Linux developers are doing a fantastic job and I am personally thankful to them - this is not in any way critical of them. And while I don't see an easy solution here, I just feel that the time of "warning users" is long gone with how much supply-chain attacks are ramping up these days.
Some other controls could at least alleviate the problem. Perhaps some form of peer-review and grace period before publishing could help here?
Comment by anon7000 4 days ago
I’m not sure how to find a balance. One reason to use Arch is to always have the latest software, especially if you’re gaming. (Need to run very recent kernels, GPU drivers, and DEs to support new graphics cards.) So that’s very different from other stable LTS distros which carefully pick the package updates they incorporate.
Anyways, I do agree package cooldowns and such make a lot of sense. Package managers should be pulling out the stops on all the free controls they can implement. I can understand why anything requiring compute or maintainer time is a non-starter. (Sidebar: I don’t feel the same way about npm. Microsoft can afford to run malware scanners and analysis tools on npm packages.)
Comment by beej71 4 days ago
Comment by drnick1 4 days ago
Comment by newsoftheday 4 days ago
Comment by vlovich123 4 days ago
Btw the official “vscode on Linux” instructions literally point to the community maintained AUR (same for nix).
The truth of the matter is the AUR is poorly maintained structurally, regardless of what companies officially support. Things like letting arbitrary people unilaterally take over orphaned packages is horrendously stupid.
Comment by sam_lowry_ 4 days ago
Comment by vlovich123 3 days ago
“Learning from your mistakes is good. Learning from the mistakes of others is better”.
For all its flaws, at least Cargo attempts to do that. AUR does not. No other package manager this regularly has hijacking problems.
Comment by emsign 4 days ago
Comment by tjoff 4 days ago
Comment by mcv 4 days ago
Comment by axus 4 days ago
Comment by homebrewer 3 days ago
Comment by thewebguyd 4 days ago
The biggest one I'd suggest they change immediately is remove the ability for anyone to just take over an orphaned package. That's a crazy policy, to me.
It should require you to fork it & resubmit, not take over the original.
Then they can go through and do purges of orphaned packages that are beyond a certain age.
Comment by xnzakg 4 days ago
Comment by embedding-shape 4 days ago
Comment by -mlv 4 days ago
It's crazy that all it takes to become a maintainer of a package is to flag it as orphaned, wait 2 weeks for the original maintainer to fail to respond because they're on a holiday, and BAM! - the attacker can gets assigned as a maintainer and can now ship spicy updates.
Comment by dualvariable 4 days ago
Maintainers need to have some level of vetting, and should own a repo or three for a while to establish a track record, before they get to blast out contributions to 100 of them without any review.
Comment by Gormo 4 days ago
Comment by dualvariable 4 days ago
This is also a terrible way to run a package build system in this day and age as well, if you like. I feel exactly the same way about it, and when I wrote that I understood what it was, so I didn't need that helpful correction (I first used the FreeBSD ports system sometime around the turn of the millennia).
Comment by embedding-shape 4 days ago
It's not, AUR is more like GitHub, anyone can upload content there, not like a proper repository where things are reviewed, verified and cared for.
You're complaining about "curl https://random-website.com | bash" being "a semantic detail" while it's a major difference in how much trust you can put into it. If you don't trust random-website.com, you shouldn't trust AUR packages. But very different from BSD Ports or Arch's official repositories.
Comment by dualvariable 4 days ago
GitHub also actually protects against repojacking and tombstones username/reponame combinations (that exceed a certain minimum popularity) and never lets anyone ever use them again.
The utility of AUR is also really based around being able to reuse the same repo without having to re-vet every single time. This kind of attack, that forces you to re-vet on every single upgrade so that trust inherently can't be established, is also not GitHub's model at all.
And go has a software package manager that heavily uses GH for distribution, and is arguably more VCS decentralized, but isn't vulnerable to this kind of attack, because it inherts GH's threat model, and doesn't implement the kind of choices that AUR decided to deliberately build into their system.
Comment by embedding-shape 3 days ago
Changing your username would let anyone reuse the old username for whatever they want. Probably still today there are bots squatting any renamed accounts. Also, you bet Microsoft would hand over your GitHub username if it was reported by someone who holds a registered trademark in the US over that username, regardless of impact.
> The utility of AUR is also really based around being able to reuse the same repo without having to re-vet every single time.
I don't think they promise that anywhere, nor should you have that expectation. That would be like since you got legit copy from random-website.com/bin.exe today, you'd get that tomorrow too, clearly not true unless you know the owner of the domain or otherwise trust it.
> go has a software package manager that heavily uses GH for distribution, and is arguably more VCS decentralized, but isn't vulnerable to this kind of attack
Unless Golang suddenly have peer-reviewed packages, Golang has exactly the same problem as AUR in that anyone can create packages, and it's up to users to decide what to trust or not. Fair that the whole "orphaned packages" thing doesn't exists in Golang, but I think Arch probably favors stability more than people expect/think, that's why people can continue to maintain packages even though original maintainer disappears. Ultimately it's a trade-off, I don't think there is some absolute truth what is correct or incorrect.
Regardless of who maintains the package, if you use AUR as intended, it seems you'll avoid most security issues. It's when your expectations aren't aligned with what AUR actually promise, that people start getting hacked.
Comment by homebrewer 3 days ago
Comment by dualvariable 3 days ago
> We do not accept requests to release, transfer, or reclaim usernames on the basis that they appear inactive or unused. If the username you want has already been claimed, you will need to select a different available name unless you are submitting a trademark complaint as described below.
https://docs.github.com/en/site-policy/other-site-policies/g...
Also even the original user renames or deletes their account any popular repos they have will get tombstoned, so the new owner can't recreate them:
> GitHub uses a tombstoning algorithm to reduce the risk of repo-jacking by permanently retiring specific owner name, repository name combinations. The github/cmark-gfm example above is purely hypothetical, because, in that scenario, the old name would get automatically tombstoned. For example, even if an attacker managed to register the username github, they would still be prevented from creating a new repository with the name cmark-gfm because that owner name, repository name combination (github/cmark-gfm) would be permanently retired. Therefore, repo-jacking is only a risk for repositories that fall below a certain usage threshold. We don’t tombstone all renamed repositories because there’s a tradeoff between usability and security: a tombstone is a potential inconvenience for our users which we don’t want to impose unless there’s a genuine security-related reason to do so. That’s why our tombstoning policy only kicks in after the repository has met certain criteria, such as exceeding a specific number of clones.
https://github.blog/security/supply-chain-security/how-to-st...
Comment by tredre3 3 days ago
Before that it was possible to contact support to reclaim any username provided that they had no meaningful public repos and they were inactive for a long time. It was at the staff's discretion, there wasn't an elaborate policy of what constitutes inactive, but I've successfully reclaimed a username inactive for 2 years myself.
The old policy was:
GitHub account names are provided on a first-come, first-served basis, and are intended for immediate and active use. Account names may not be inactively held for future use. GitHub account name squatting is prohibited. Inactive accounts may be renamed or removed by GitHub staff at their discretion. Keep in mind that not all activity on GitHub is publicly visible. Staff will not remove or rename any active account.
Attempts to sell, buy, or solicit other forms of payment in exchange for account names are prohibited and may result in permanent account suspension.Comment by dualvariable 2 days ago
Which means that in the age of supply chain attacks, they patched the holes.
Which is exactly why this policy that AUR has is terrible in 2026.
The fact that GitHub didn't have that policy back in 2015 isn't the counterexample that the argumentative crowd here seems to think it is.
That is the GH policy right NOW, in the year of our Dog, 2026.
AUR is pretty grossly behind the curve, and I'll certainly accept that GH was arguably slow about it.
Defending AUR's policy on the basis of GH's policy being shitty until relatively recently isn't a good argument.
Comment by embedding-shape 3 days ago
Lesson learned, create new accounts and never rename usernames, regardless of what rules the platform might share publicly.
Comment by naturalmovement 4 days ago
What does the 'R' in AUR stand for? Rutabaga?
Comment by Gormo 7 hours ago
Comment by cosmic_cheese 4 days ago
There’s bits and pieces of this in place with immutable distros, Wayland, and Flatpak but notable holes remain. The biggest one is that sandboxing is tied to the package format which I think is a mistake. Sandboxing and access permissions should be a system-level thing so even arbitrary binaries can’t easily slip through the cracks.
This wouldn’t fix the problem entirely, but it’d greatly limit the blast radius and make users of the distribution a less juicy target.
Comment by mcv 4 days ago
Comment by jorams 4 days ago
At any time there's a large number of orphaned packages in the AUR, and the attacker(s) targeted those.
Comment by Slothrop99 4 days ago
Comment by mrbluecoat 4 days ago
Who needs social engineering NPM maintainers when there are thousands of freebie AUR ones.
Comment by embedding-shape 4 days ago
It's basically GitHub (in terms of "User's generated content") but tailored and specific to Arch/Arch-derived distributions. Packages have owners, but everything is very "freeform" in general on the AUR. It wasn't uncommon you could be added as a maintainer by just sending a mail to the current maintainer, since it's basically "Hey let me contribute to your repository" (simplified), today people keep track a bit better and avoided that I've seen. But still, it's on a individual basis.
Just like GitHub, AUR is completely devoid of peer-reviews, users uploads their own PKGBUILD and share with others, and the expectation is that users review stuff before they install it, just like on GitHub, or just like on the internet in general.
Comment by tempest_ 4 days ago
Comment by cge 4 days ago
What review should users do?
It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest. This was a mass attack against mostly low-use/orphaned/etc packages where maintainership was taken over or a different user uploaded a new version (itself a very simple, low-notice, low-oversight process), and many of the packages clearly had no connection to Node.js at all, so a user who knew enough about each package, and knew what npm was, might notice the oddity in the package, if they reviewed every line of the PKGBUILD, then reviewed the install scripts.
But legitimate AUR packages for packages connected to Node.js also use npm, for example, and at times, use npm install. A user would have to be familiar enough with Archlinux's build system to understand the difference between each part (eg, build() vs install scripts). They'd have to review every PKGBUILD, every install script, and every patch of every AUR package they install. For packages that actually do use npm/bun, they'd have to be familiar enough to know what uses were legitimate and what uses were not, and might have to be up to date on compromised dependencies. And this is still considering a mass attack that was not particularly hidden. Attacks could be made much harder to find.
Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system. They need to learn how to do this with, as far as I can tell, no real guidance: AUR itself, and the wiki's page on it, just warn that users should carefully review the PKGBUILD and install scripts, without giving any substantial guidance on what to look for or how to review anything. The warnings feel much more like liability-reduction than an attempt to be helpful.
At that point, what is AUR actually offering that installing the upstream package isn't? It feels like the suggested 'safe' way of using AUR would make it just as much work for the user, and require just as much knowledge, as either installing the upstream directly, or even making a package for it.
There is perhaps some room for LLM analysis here: Opus 4.8, Kimi latest, and even Qwen3.6 27B quickly catch at least the current round of malicious packages in my tests. But a motivated attacker could make that more difficult, or dangerous. And a user could also just have those models install the upstream package, with less risk. If they want to use pacman for management, they could likely even have those LLMs generate a package, with less risk.
Comment by SCdF 4 days ago
In my experience using the AUR:
1. when you first install the package you can read the build script (and you should). These are in a very standard structure, and if the one you are reading is weird and complicated consider not installing it. No one is forcing you to. Almost every build script I read just downloads a build from a tagged github release.
2. when you get an upgrade you are shown the diff. For almost every AUR package I use this is literally just changing the $VERSION variable and the subsequent $HASH of the download. It is trivial to see if anything (in the AUR script) is happening that is sneaky.
It's really not that scary. And if it's considered scary, there are literally dozens of other linux distros (not to mention Windows or MacOS) you could be using instead.
Comment by cge 4 days ago
But many users don't. As far as I can tell, there is very little actual guidance about what to look for, not even to the extent of what you explain here, on the wiki. Users are told to check the PKGBUILD, and warned about AUR-helpers being dangerous, but in practice, it seems AUR-helpers are widely used, and many users likely just click through PKGBUILDs they won't be able to understand.
And, again, this attack was a relatively obvious one. Other attacks could be made much harder to notice.
Worse, distributions like CachyOS are being broadly promoted to a user base who can't be reasonably expected to check over AUR packages themselves. Unlike ArchLinux, those sometimes do seem to promote AUR-helpers. In some cases, those distributions are apparently including AUR-sourced packages in their actual repositories.
Questions about these topics often result in typical Archlinux hostility. And in some sense, that's understandable: there are other distributions that most users should be using, and the frustration of people using Archlinux who shouldn't be is wearing. It is nice to have a distribution that offers the flexibility and space for experimentation that Archlinux does. It's one of the reasons I use it on some of my machines, while at the same time recommending against most others using it.
To some extent, this is just a wide cultural difficulty with Linux, and there isn't a clear answer. On one hand, you want enough gatekeeping to keep users away from potentially dangerous systems they have no interest in understanding, and that they'll rely on without understanding in situations where they shouldn't. On the other, you don't want to keep out users who are interested in learning.
Comment by embedding-shape 4 days ago
That's where the whole "Not everything is idiot proof" thing comes in. The distribution is pushing the responsibility on users to vet what they do, across everything, not just installing AUR packages, so naturally this also applies to installing 3rd party software.
If you don't know what to look out for, maybe don't install stuff you don't know what it will do. Sucks as an answer if the distribution is looking to "Make it as easy as possible for every user" but that's not Arch Linux ultimately, it does ask you to care about things like that, if you don't want to, it might not be the OS for you. And that's of course OK and not something bad. I know this sounds like gatekeeping, but it's more of a culture difference than anything, and probably not even a problem.
> distributions like CachyOS are being broadly promoted to a user base who can't be reasonably expected to check over AUR packages themselves
That'd suck, but not the impression I've got from CachyOS. There is a FAQ entry that seems to get the gist of AUR correct, that it's basically random software from random users, nothing is assumed safe: https://wiki.cachyos.org/cachyos_basic/faq/#aur-safety-pract...
> this is just a wide cultural difficulty with Linux, and there isn't a clear answer
I don't think "a answer" is needed here. What some read as "gatekeeping" and "Arch Linux hostility" is in reality just a difference of culture, and that's not a bad thing. Some distributions are for making things "easy for newcomers" or some focus on "best UI and UX" and others "most barebones for experienced users to setup themselves", and all of them as valid as the other. The tricky (and slow/time consuming) part is that you have to try a bunch before you find which one(s) aligns with your own perspectives and ideas.
Ultimately, users can learn best together with distributions that align with how they think and want to work.
Comment by cge 4 days ago
Oddly enough, when I was writing that, I wasn't thinking about Arch, but Ubuntu. Years ago, I can remember a situation of a PPA being used for developing something I was involved in somehow, and while the PPA specifically noted that users shouldn't use it, they just did anyway, because they wanted what they saw as the latest and greatest versions of those packages. When the PPA owner added a package that set the default wallpaper to a warning about adding the PPA and updating all packages from it blindly, the users blamed them, rather than understanding the message. At the same time, I was actually using that repository legitimately, and it was useful.
Comment by SCdF 4 days ago
I think the issue is those repos being based on Arch though, not Arch itself.
Comment by porridgeraisin 4 days ago
Stuff that tinkerers use is often some random fork of a fork of a gitHub repo, maintained by someone else, and the aur package maintained by a fourth person. That's where the mess is. Thankfully, these are also the users you can expect to read a pkgbuild diff.
Comment by yjftsjthsd-h 4 days ago
It produces package files that pacman can use. Sure, you can curl|sh or whatever, but that's a good way to litter stuff all over that you can't track or uninstall cleanly.
Comment by embedding-shape 4 days ago
The same sort of review you'd do if a stranger sends over a project and says "compile and run this" and you actually want whatever it's supposed to do, so you start looking through it.
> It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest
That's very suspicious if the package you're about to install doesn't seem to actually need those things. Since "AUR === random strangers on the internet with zero trust", then you need to pay attention to those sort of things.
> Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system.
Yes, indeed. Same as if you come across a random C++ project on GitHub with 2 stars, do you just pull down the source and compile willy-nilly? Probably not, you carefully inspect it can actually do what you want, how it does it, and so on. AUR is basically like GitHub in this case, zero peer-reviews and users fully responsible for whatever they install.
> At that point, what is AUR actually offering that installing the upstream package isn't?
PKGBUILDs, so you don't have to write them yourself. Not more, not less, just a central place for random strangers to share PKGBUILDs that may or may not work for others.
Comment by beej71 4 days ago
Comment by embedding-shape 4 days ago
I don't review updates to official packages on Arch, I don't think most people have time to do so, it's just way too much. Things change when we talk about AUR though, as those aren't vetted, those you need to take the time to review, otherwise you're basically installing completely unreviewed software from strangers on the internet.
Comment by Gud 4 days ago
For a distro this popular I’m surprised how much is in unofficial repos(AUR) and not the official ones.
Comment by sunshine-o 4 days ago
It is hard to avoid a package like chromium [0] or firefox which are in the "community" repo. Now have fun check it at every update, this is not practically feasible.
For the web browser one can say we should use Flatpak anyway but there are a lot of other apps like sway from the community repo that cannot be flatpaked.
- [0] https://pkgs.alpinelinux.org/package/edge/community/x86_64/c...
Comment by Lyngbakr 3 days ago
Comment by fooqux 4 days ago
Comment by reedlaw 4 days ago
Comment by fooqux 4 days ago
Comment by bitmasher9 4 days ago
Who is doing package management right these days? Who is doing it securely?
Comment by fooqux 4 days ago
Comment by bitmasher9 3 days ago
Comment by halfcat 4 days ago
QBASIC. When you need a package you type it in from a magazine. Virtually anything you could ever need is only 1-12 weeks away.
Comment by vunderba 4 days ago
Comment by matheusmoreira 4 days ago
Comment by bitmasher9 3 days ago
1. The whole point of the AUR is that the demand for packages outstrips the volunteer effort to provide secure packages.
2. There are about a dozen major package systems for Linux, with a lot of duplicated effort in packaging the same software for slightly different systems in slightly different formats.
Comment by graemep 4 days ago
Most distros are too. All the big distros have pretty good track records.
Comment by simoncion 4 days ago
The malware was limited to package sources that I understand to be disabled by default, if you're using Arch Linux. These package sources carry clear warnings that the packages they provide are controlled by third-parties and entirely unvetted by the distro maintainers. [0][1]
If your assertion is that any package management system that permits the installation of packages that aren't vetted by the maintainers of the -er- OS that uses that package management system is "not doing it securely", then the only one that's even vaguely "doing it securely" is Apple's iOS.
I'm of the opinion that permitting users of a general-purpose computer to install arbitrary software is a good thing, and is pretty much the entire point of a general-purpose computer. I'd call computers that make that effectively impossible "appliances". There's very definitely a place for appliances, [2] but seeking to turn every computer into an appliance is massively destructive.
[0] <https://aur.archlinux.org/>
[1] <https://wiki.archlinux.org/title/Arch_User_Repository>
[2] Reliable computers that you never have to think about because they simply never fail to perform the useful tasks they were designed to do are great.
Comment by dist-epoch 4 days ago
Everything will need to be run in a VM separated from your main desktop which should have your data and a minimal amount of apps.
Qubes OS was ahead of it's time.
Comment by Induane 4 days ago
Nothing I have ever used has a comparable dependency tree nightmare.
Comment by bitmasher9 3 days ago
Comment by anon7000 4 days ago
AUR is worse, in that there may not be official authors and you can take over releases of a package. Like, you’ll have random users publishing the release for some application that doesn’t have their own Arch release. And if that user disappears, someone else may take it over
Comment by tobyhinloopen 4 days ago
All major Node package managers should support it by now.
Prom was the best IIRC, yarn second, but even npm is catching up
Comment by bitmasher9 3 days ago
It’s so much overhead and auditing to enforce compliance across the thousands of node microservices though.
Comment by tobyhinloopen 2 days ago
Comment by landdate 4 days ago
Read the source. If you don't have the time then you shouldn't run the software.
Comment by bitmasher9 3 days ago
The Linux Kernel has 40 million lines of code, I don’t have the time to read that so I guess I better not use it.
Comment by landdate 1 day ago
Comment by beej71 3 days ago
Comment by landdate 4 days ago
I never had a need for the AUR.
If I want a package not in the official repository I build it myself or if it has a binary release I will download it. this way i don't have to use root when building and can have program installed locally just for a single user which is how it should be anyway for most desktop use cases.
At least in this way there is one less level of possible malicious code insertion in developer -> user, vs develeper -> maintainer -> user.
Comment by NekkoDroid 4 days ago
`makepkg` will actively refuse to run if you are invoking it as root (unless you specifically invoke it with something like `env EUID=123 makepkg ...`).
> and can have program installed locally just for a single user which is how it should be anyway for most desktop use cases.
I do wish pacman would support a user level installations. It will refuse to install packages as non-root (which you can go around by using user namespaces and mapping yourself to root).
Comment by landdate 1 day ago
Comment by NekkoDroid 1 day ago
Comment by well_ackshually 4 days ago
Comment by smetannik 4 days ago
Comment by shevy-java 4 days ago
Comment by BoingBoomTschak 4 days ago
Comment by 28304283409234 4 days ago
Comment by iknowstuff 4 days ago
Comment by jl6 4 days ago
Comment by ianburrell 3 days ago
Comment by jl6 3 days ago
Comment by Gigachad 3 days ago
Comment by dontfeedthemac 4 days ago
Comment by scarlehoff 3 days ago
One thing programs like yay could do though is to tie the packages to the maintainer. If the maintainer changes, it should be treated as a completely separate package. Not a perfect solution, but could avoid a few automatic upgrades.
Comment by robby_w_g 4 days ago
Comment by popcornricecake 4 days ago
Comment by anothermoron 4 days ago
Comment by jzer0cool 3 days ago
Comment by quertyrecord74 3 days ago
Comment by snvzz 3 days ago
The followup attack on Arch itself is not going to be pretty.
Comment by 1vuio0pswjnm7 4 days ago
What Linux distribution^1 has the highest percentage of users who compile from source
Is it Gentoo
1. Besides Linux from Scratch
Comment by tmtvl 3 days ago
Gentoo may not have the highest percentage of users who compile from source because there's binary packages available now. Maybe Exherbo, Source Mage, or Lunar may have the highest percentage outside of LFS.
Comment by 0x59 4 days ago
Comment by eviks 3 days ago
Comment by Havoc 4 days ago
Comment by Shank 4 days ago
Comment by beej71 4 days ago
Comment by gbin 4 days ago
So with a dozen of various systems running arch/cachyos for various purposes, 0 impact.
We seriously dodged a bullet though, should we have some kind of AI spotting shady activity before it hits the userbase?
Comment by ajross 4 days ago
This was the AUR repository, which is the community-maintained soup of non-distro packages. They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future. But they aren't really "Arch Linux". You need to deliberately enable and install tools to pull stuff from it.
Think of this as Steam or Chrome. You can install those on Arch, and people do, but if Chrome extensions or Steam games suffer an incident like this you don't blame the distro.
Comment by cge 4 days ago
That's perhaps the intent ideally, but in practice, it feels like AUR tends to be (a) niche, esoteric things that will never be anywhere outside of AUR, even if they could, or (b) installation methods for proprietary/otherwise non-open packages that can't be.
The latter seems to a major popular use of AUR: sorting packages by popularity or votes comes up with lists that seem to be mostly these. And that's likely a significant draw for non-technical users. If you want to install things like Dropbox, Chrome, VS Code, Minecraft, Zoom, Slack... they all show up in AUR. By their nature (usually extracting packages from upstream installation methods), they tend to be more complicated than generic AUR packages. They are also often quite a bit more convenient than using the upstream packages, which might not interface well with Archlinux, might only be available with installation methods that clobber things, might be deb/rpm only, etc.
I wonder if it would make sense to have a more trusted/vetted repository of these sorts of scripts, separate from core repositories but also not as free-for-all as AUR. That might go a long way toward keeping non-technical users from being drawn to AUR.
Comment by new_usemame 4 days ago
Comment by w4yai 4 days ago
Comment by dist-epoch 4 days ago
Comment by w4yai 2 days ago
That will end badly at some point
Comment by tryauuum 4 days ago
Comment by graemep 4 days ago
AUR comes with a warning that its up to you to check what you install from there.
Comment by __s 4 days ago
Next up, "millions of malicious packages still not taken down on internet"
Comment by maxerickson 4 days ago
Comment by TomK32 4 days ago
pacman -Qm
Comment by rvz 4 days ago