FiniteBanjo

joined 5 months ago
sorted by: new top controversial old
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 6 points 6 hours ago

I always check with my contract lawyer before installing or updating from the AUR. It's worth it for me.

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 1 points 6 hours ago

I miss the browser, but luckily I haven't played RS since the new CEO cancelled new Pride Events right after the Trump Admin was reelected.

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 2 points 6 hours ago

Yeah, it seems like these sort of problems aren't necesarily due to an insecure system like the AUR but moreso because of the target's publicity and popularity which is definitely the case with the rise of CachyOS.

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 1 points 7 hours ago* (last edited 6 hours ago)

I'm not real clear on if this is the case but you could try:

  1. Have you installed or updated from the AUR before, such as with Yay? Specifically after June 5th? If so, check this list or the post above for a list of compromised packages. https://gr.ht/aur_pkg_list.txt

  2. Maybe pacman -Q | grep atomic-lockfile because that appears to be what the threat actor is installing but I'm not really sure if that's how it works...?

EDIT: If you really want to play it safe then you could try yay -R $(pacman -Qmq) to remove every aur package and wait out the storm, just be careful to backup important files.

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 1 points 7 hours ago

I tend to be a little antsy around anti-capitalists. Too many bad run-ins with Tankies.

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 15 points 21 hours ago (4 children)

Are you one of the malicious actors? Thats some shit I'd expect to hear from the people doing this, trying to justify the attack by blaming the users for "capitalism".

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 3 points 21 hours ago* (last edited 21 hours ago)

EDIT: No, sorry, alvr was just one package, there is no specific source for the infection just one or many malicious users: https://gr.ht/aur_pkg_list.txt

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages in c/linux@programming.dev
[–] FiniteBanjo@programming.dev 17 points 22 hours ago* (last edited 21 hours ago) (9 children)

~~Users can check if they're already compromised with pacman -Q | grep alvr I think maybe?~~ EDIT: No, sorry, alvr was just one of countless affected packages. Also, several is an understatement since a huge number of packages are affected.

Post with more information here: https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

You can fork a package, but can you own it? in c/programming@programming.dev
[–] FiniteBanjo@programming.dev 1 points 22 hours ago

Sure you can, you just gotta wait for it to be orphaned and then you can do unimaginably horrible things with it. Of course, that doesn't constitute legal ownership, but still.

Beastly in c/programmer_humor@programming.dev
[–] FiniteBanjo@programming.dev 4 points 6 days ago

Imagine if it had no internet access but it had all the relevant docs.