this post was submitted on 12 Jun 2026
224 points (99.6% liked)

Linux

13955 readers
484 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
224
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages (linuxiac.com)
submitted 1 day ago by cm0002@lemy.lol to c/linux@programming.dev
65 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] hoppolito@mander.xyz 8 points 1 day ago* (last edited 1 day ago) (3 children)

And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).

That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.

Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.

[–] brucethemoose@lemmy.world 3 points 12 hours ago* (last edited 12 hours ago)

Paru shows them by default, and it’s basically impossible to disable.

It is a little too easy to skip past it, though.

[–] jcarax@beehaw.org 2 points 13 hours ago

Yeah, it's never sat very well with me. I've gone through cycles where I'll use a good bit of AUR, to none at all. I had been using a handful of things, but realized that almost all of it was Python stuff that I could more safely install with pip or uv, so I've migrated all of that. The one thing left is Manuskript, and it hardly gets updates anyway.

[–] victorz@lemmy.world 8 points 1 day ago

Paru shows you the diffs by default.

I just run paru when I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.

Of course, inspecting the PKGBUILDs still doesn't protect us from having the actual software repositories compromised. Just because only the source hash changed doesn't mean the software doesn't have malware now.

That's where I draw the line regarding trust. I don't feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅