this post was submitted on 12 Jun 2026
226 points (100.0% liked)

Linux

65827 readers
944 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
226
Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware (www.phoronix.com)
submitted 4 days ago by Virual@lemmy.dbzer0.com to c/linux@lemmy.ml
85 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] thingsiplay@lemmy.ml 56 points 4 days ago* (last edited 4 days ago) (7 children)

As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if yay asks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.

I don't understand why there still no official announcement as a warning from the Archlinux team at https://archlinux.org/news/ . Is there a different place for security news specifically about the AUR to subscribe to? EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/ They did it, an official message.

[–] trevor@lemmy.blahaj.zone 34 points 4 days ago* (last edited 4 days ago) (6 children)

The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn't notify people through official channels, only to find it later on /r/archlinux 🙄🙄🙄

[–] Aatube@kbin.melroy.org 23 points 4 days ago (1 children)

since the 2022 grub incident, Arch has done a great job at notifying the news channel when "manual intervention required" AFAIK, and I don't remember any instances of Arch maintainers only notifying Reddit (and I don't think they notified Reddit for the grub incident either lol).

load more comments (1 replies)
load more comments (5 replies)
[–] araneae@beehaw.org 6 points 4 days ago* (last edited 4 days ago) (1 children)

This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer.

Unfortunately not foolproof either. I have no infected packages that I know of because I happen to be on a new install, but I caught wind of the LAST AUR botnet infiltration and switched to flatpaks or source builds. Since then I drifted back to AUR for convenience. I thought I was being clever only using AUR packages when I could be "sure" the author of the original software package pushed to AUR, and this was easy since devs who build on Arch typically recommend AUR whether they maintain the package or not. Today I found out spoofing package ownership is apparently easy and so is spoofing git credentials.

I was on Endeavour and it was incredible, but I'm not That Power User and I feel like part of the problem. The worst part of all of this is its owing to an influx of users who want the same ease of use they used to enjoy, but in Windows SOP is installing whatever the fuck you want on Internet Explorer and bugging your sysadmin to fix whatever happens. Its probably really hard to be any kind of FOSS developer right now.

load more comments (1 replies)
load more comments (5 replies)
[–] bizdelnick@lemmy.ml 34 points 4 days ago (2 children)

More Than 400

1579

I don't use Arch BTW.

[–] taiyang@lemmy.world 9 points 4 days ago

Useful list for those who do use Arch; I've only got like two things from AUR and neither is on that list (although I kinda recognize a couple with slightly different names, like what, knock off plugins for official stuff?)

load more comments (1 replies)
[–] ShinkanTrain@lemmy.ml 14 points 4 days ago

AUR

[–] KarnaSubarna@lemmy.ml 7 points 3 days ago

At this point, the count stands at 1500+ https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500

[–] James@lemmy.ca 5 points 3 days ago (2 children)

The AUR is basically just a shortcut for downloading random shit off GitHub.

It gives un-experienced users a false sense of security.

[–] HaraldvonBlauzahn@feddit.org 1 points 2 days ago* (last edited 2 days ago)

The AUR is basically just a shortcut for downloading random shit off GitHub.

It gives un-experienced users a false sense of security.

As is "pip install" by the way.

load more comments (1 replies)
[–] IEatDaFeesh@lemmy.world 11 points 4 days ago (2 children)

Ahh clearly Arch users didn't RTFM before installing shit. Skill issue.

PS: The above is an invitation to self-care, not an insult.

[–] ohshit604@sh.itjust.works 16 points 4 days ago (1 children)

I must say, Read The Fucking Manual is a bit more clear than Read The Friendly Manual.

[–] yetAnotherUser@lemmy.ca 9 points 4 days ago (2 children)

I disagree with the post you put here on a single thing: the manual is sometimes bad.

[–] wuphysics87@lemmy.ml 10 points 4 days ago (1 children)

Is that worse than not reading it at all? Often it is a lead to something more useful

[–] yetAnotherUser@lemmy.ca 3 points 3 days ago

You know what? You're right

[–] Evil_Incarnate@sopuli.xyz 4 points 3 days ago

Best not to read any then, if it might be bad.

I've seriously gone through manuals in languages foreign to me and still learnt something from it.

My partner doesn't and will only use the basic features of tech. I read the manual, and I'm suddenly a wizard because I got two Bluetooth speakers to pair with each other and get stereo from them.

[–] thingsiplay@lemmy.ml 9 points 4 days ago

Reading the manual clearly won't help with the issue here. This is clearly not an appropriate use of RTFM terminology here, because it does not apply. The problem here is not that the user needs to read before asking for help. The problem here is to understand the changes made in the script are malicious. And reading the manual won't help with that.

[–] MonkeMischief@lemmy.today 8 points 3 days ago (9 children)

Whelp...I've REALLY loved EndeavourOS for my laptop, especially because I felt I could mess around with stuff, but maybe this is my call to use something like Fedora or a OpenSUSE variant (I love Tumbleweed dearly).

Nothing against the incredible Arch, but I'm deffos that user who does

> yay 
> "Build files exist. Do clean build? N"  
> "View changes? N".

ENTER.

I want to learn, but also I'm a bit of a danger to myself if this malware threat is this broad.

load more comments (9 replies)
[–] zipkag@lemmy.world 3 points 3 days ago

Maybe someone here can advise. I ran two of the available "checking" scripts to see if I have any packages installed. Both came up with 1 package I have installed. It is gtkimageview, which is on the list.

However, if I look through the pacman.log I see it was installed on 2024-10 and last upgraded 2025-01. It seems to me that suggests I installed it before this all started, so I'm probably not infected?

[–] sonofearth@lemmy.world 5 points 3 days ago (3 children)

Maybe maintenance of packages shouldn't just be handed over to newly created accounts. This is a design flaw on AUR's part. As Linux popularity rises, these types of attacks will just keep growing. There should also be some sort of system where it is easy to verify that the maintainer of the package is also the actual developer. Like brave-bin has brave has the maintainer who are also the creator. Just give a green check mark to them or something.

[–] bitfucker@programming.dev 3 points 2 days ago* (last edited 2 days ago) (1 children)

Or maybe don't use AUR blindly? You're doing the equivalent of `sudo curl

| bash`. Who knows what the script is doing. So only do it if you truly trust it. That's why we have warnings plastered all over. That's also why a warning label and sticker exists. And this is precisely the reason easy no user input AUR helpers are greatly discouraged

[–] sonofearth@lemmy.world 1 points 2 days ago (3 children)

That’s why we have warnings plastered all over.

Plastering warning labels everywhere is a cheap way to shift 100% of the accountability onto the user. Security should be built into the AUR's design (throttling new accounts, forcing forks for orphaned takeovers or maintainer-developer verification), not outsource your job to the users as a reading assignment before every system update. Humans are the final layer of defense not the first.

Or maybe don’t use AUR blindly? You’re doing the equivalent of sudo curl

| bash... So only do it if you truly trust it.

There is a massive difference between blindly curling a random script from the open web and using a centralized, organized community repository. Yes AUR helpers are not recommended but they exist and are used by majority of Arch users and you can't expect the user to know code and pkgbuilds especially when distros like CachyOS make it so damn easy to install the OS with AUR being just a checkbox away.

load more comments (3 replies)
[–] davetortoise@reddthat.com 7 points 3 days ago (1 children)

"No way to prevent this" says only repository where this regularly happens

[–] sonofearth@lemmy.world 2 points 2 days ago* (last edited 2 days ago)

I am gonna get a lot of hate for this but the AUR flaws are hidden behind a legal warning of “At your own risk”. They just don’t want to take the legal consequences for this. That’s why there are basically 0 preventive measures for detecting bad actors and preventing malicious attacks.

I can think of some solutions:

  1. If a package is orphaned then let a potential maintainer just fork it and flag the original for deletion. So the user who has actually installed the old package and want an update will manually go out looking for the updated one instead of just doing a yay -Syu one day and getting malware on the system.
  2. If the developer and maintainer are the same for an AUR package, let them maybe add a ArchWiki style captcha, whose output can be added to the upstream repo like in .aurverification file, which can be detected by AUR when putting in the upstream repo URL and the maintainer must verify with that captcha every 6 months or so just to prove active development. If they fail to do so, mark the package as abandoned or unverfied.
  3. Newly created accounts will have a cooldown of a week to add a new package to the AUR (I don’t know if this exists already as I haven’t looked into it). And they can only create one repo in a month until a year has passed. They can takeover or fork orphaned packages only after a year and if they are maintaining at-least one repo of their own.
[–] HaraldvonBlauzahn@feddit.org 1 points 2 days ago (6 children)

Maybe maintenance of packages shouldn’t just be handed over to newly created accounts. This is a design flaw on AUR’s part.

That is the whole purpose of AUR, users can create and share packages with minimum fuss. That does not mean that it is a good idea to run the code of some random guy on your computer.

But open source has always worked like that, by code sharing and collaboration - on tapes, on FTP servers, on Sourceforge or github and today on codeberg. The way the Arch User Repository (this is AUR spelled out) makes this easy is great!

Just don't run random code that you don't understand, and cannot reasonably trust.

load more comments (6 replies)
[–] starblursd@lemmy.zip 10 points 4 days ago* (last edited 3 days ago) (3 children)

There were announcements and security ping in the arch Linux community discord... But I wish they'd be more vocal on this outside discord especially given discords controversy as of late

Update: they finally posted about it in the arch news feed last night... A bit late but better than never. Npm removed the malicious package, but then the bad actors started using bun instead...

As others have proposed, I really think that orphaned packages should require a moderator of the aur to approve the commit and acquisition of an orphaned package. Currently nothing stops someone from spinning up accounts and hijacking these abandoned projects

load more comments (3 replies)
[–] M33@piefed.world 10 points 4 days ago

Wow that’s bad 🫢

[–] demizerone@lemmy.world 4 points 3 days ago

I learned 10 years ago not to use aur helpers because they hide the sources. Aurutils + vifm baby!

[–] HaraldvonBlauzahn@feddit.org 1 points 2 days ago* (last edited 2 days ago) (1 children)

Also keep in mind that Arch is (differently from FOSS diehard people like Debian maintainers) quite permissive in what it accepts. This might be comfortable to get some hardware running, but with this you get also stuff like Brave Browser in the software directory which, how do I say this, might not be the best choice for privacy.

So,if you want privacy and safety, you should have a good look at what you install.

[–] bitfucker@programming.dev 3 points 2 days ago* (last edited 2 days ago) (1 children)

AUR is not Arch maintainer vetted repo tho. Even librewolf is not in the arch repo.

The closest equivalent of AUR is PPA/launchpad

[–] HaraldvonBlauzahn@feddit.org 1 points 2 days ago

AUR is not Arch maintainer vetted repo tho.

Oh, of course. I didn't repeat that, because this is is clearly stated in the docs and should be well known now.

load more comments
view more: next ›