this post was submitted on 12 Jun 2026
96 points (99.0% liked)

Technology

85342 readers
4387 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
96
Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware (www.phoronix.com)
submitted 10 hours ago by Some_Emo_Chick@lemmy.world to c/technology@lemmy.world
22 comments fedilink hide all child comments
top 22 comments
sorted by: hot top controversial new old
[–] badgermurphy@lemmy.world 2 points 2 hours ago

These guys are slacking! Didn't they read the RFC for this?

https://www.rfc-editor.org/info/rfc3514/ https://en.m.wikipedia.org/wiki/Evil_bit

Amateurs!

[–] mal3oon@lemmy.world 11 points 5 hours ago

Currently you can use https://github.com/lenucksi/aur-malware-check to do a check if you're infected. My main server was safe, still haven't tested on my wayland machine though, I went yolo with that one. No important keys at least are there.

[–] Lukario@sh.itjust.works 6 points 5 hours ago

I don't use arch, btw.

[–] Imgonnatrythis@sh.itjust.works 5 points 5 hours ago

This must be fake news because several hundred people told me there is no malware on Linux.

[–] DevDave@piefed.social 4 points 6 hours ago

Definitely a few unfortunate victims to stuff like libyami if using some sort of shell autocomplete. Few others would likely catch younger people, eg the implied apk side channel deployment packages.

[–] VivianRixia@piefed.social 19 points 9 hours ago (1 children)

Thankfully I'm clear, but I am guilty of haphazardly installing junk from the AUR, I should clean that up and uninstall everything but the stuff I really use.

[–] rozodru@piefed.world 4 points 8 hours ago

yeah when I was using Arch I was also an AUR junky. if this was happening back then I know I would have 100% been screwed.

[–] just_another_person@lemmy.world 11 points 9 hours ago (3 children)

They should have some sort of static code scanners on the repos at rest at this point that look for certain patterns and issue warnings.

[–] boatswain@infosec.pub 6 points 8 hours ago

Polymorphic malware is probably one of the easier things to do with LLMs, so static scanners seem of limited use.

[–] deadcade@lemmy.deadca.de 5 points 8 hours ago (1 children)

Since this installed a malicious dependency from NPM (and later with bunjs) in the pre install script, it would need at least complex correlation to catch. Maybe building and installing all AUR packages, which would cost far too much for the Arch team.

Individually and automatically scanning only the PKGBUILDs (the stuff actually on the AUR) would likely not have caught this.

That doesn't mean it's a bad idea to run a basic scan over every change, but it wouldn't magically "fix" aur malware.

[–] just_another_person@lemmy.world 1 points 7 hours ago

It's enough to build a pattern match and scan against it being elsewhere. Surely they did at least much to find all these packages with malware.

[–] Tetsuo@jlai.lu 1 points 9 hours ago (1 children)

I wish it was that simple but I doubt there is any scanner that can differentiate between legitimate and malicious code.

Maybe an AI but even then it would probably be quite unreliable.

[–] FaceDeer@fedia.io 3 points 8 hours ago (1 children)

Unreliable is still a step up from completely absent.

[–] Tetsuo@jlai.lu 2 points 8 hours ago

Maybe. But an unreliable scanner means a human has to check all the false positives and false negatives which can quickly take a lot of time for projects that are run by benevolent devs.

It's really important to keep in mind this is done for free and that supply chain attacks like this one are very hard to identify.

I mean this is usually not the devs being careless, it's very complex attacks on projects with very limited ressources. Attackers even sometimes choose purposefully projects that are "understaffed" (well, more understaffed than others).

[–] northernlights@fedia.io 7 points 8 hours ago (1 children)

how did this happen? the linked thread show people identifying the infected packages and cleaning them up but no word about how it happened or how to prevent it.

[–] rozodru@piefed.world 20 points 8 hours ago (1 children)

I think it was essentially orphaned stuff that got "picked up" by a "new maintainer" and that's how it happened.

[–] northernlights@fedia.io 4 points 8 hours ago (1 children)

oh I saw "clang" in the list of packages and got worried

[–] Telorand@reddthat.com 1 points 6 hours ago (1 children)

You're only affected if you use the AUR. As far as I understand it, the core packages themselves are fine, so this is more of a MitM attack, where somebody compromised the package download streams

[–] cobalt32@lemmy.blahaj.zone 1 points 6 hours ago (1 children)

This is not a MitM attack.

[–] Telorand@reddthat.com 1 points 4 hours ago (1 children)

How is it not? They didn't take over the core projects, they took over the midstream distribution.

[–] northernlights@fedia.io 1 points 3 hours ago

A MitM attack defines the attack technique, not the target. It's when the target wants to connect to something but it connects through you first, and you forward while collecting/altering data. My question was about the attack used. But yeah, a mass takeover of everything orphaned would do it.

[–] RickyRigatoni@piefed.zip 1 points 6 hours ago

O deer