Arch Linux Malware Incident (~ 1,500 Packages)

An ongoing security incident in the Arch User Repository (AUR), where a contributor identifies and provides a massive list of ~ 1500 compromised packages targeting the malicious js-digest npm package. :eyes:

Also see: Arch Linux AUR affected-package list after malicious commits were deleted

7 Likes

does anyone got affected from those 1,500 packages listed ?


Only two packages I use from the aur :

  • nvidia-390xx-dkms
  • nnn-nerd

I’ve always considered this to happens & it happened before
also one extra tip for newbies never use aur helper such yay & trust user repository blindly it’s not build with CI, instead do these safe steps :

  1. Use git
  2. Read PKGBUILD
  3. Verify source / checksums
  4. Run makepkg safely
6 Likes

Not much (2 are from myself)

arc-gtk-theme 20221218-2
archlinux-kernel-manager 25.01-20
asunder 3.0.2-1
cert-checker 1.4.0-1
gksu 2.0.2-6
guitarix.vst 0.5-1
kinit 5.116.0-1
kvm-configurator 1.0.9.9-1
networkmanager-qt5 5.116.0-3
nvidia-575xx-dkms 575.64.05-2
pipewalker 1.1-1
puddletag 2.5.0-2
4 Likes

I’ve never used Arch myself, but reading about this issue—and particularly how easy it is to take over maintainership in the AUR—I’m surprised this hasn’t happened earlier. Feels like the entire thing is built on a gentleman’s agreement.

4 Likes

Yeah, you could call it that. When it comes to trust, I see no difference between this and Windows users who download their software from websites. There have been quite a few issues there, too, or the Google search results don’t always show the developer’s official site at the top.

The AUR is ONE way to share software—but if you trust it blindly (see the analogy with Windows), you might end up getting burned.

Are Flatpak and AppImages more trustworthy or secure? I don’t know, but I doubt it.

7 Likes

I have Endeavour OS installed, and I use yay - so the “potential” to get AUR packages is there. I’ve seen a few brief spikes in the number of packages updated but as of yesterday and today, it seems to have stabilized.

The way I figure it, I have a solid setup; if these builds deteriorate considerably, I can reinstall an older build from a Flash Drive or just wait until the problems are resolved and THEN do my yay -Syu to update my system.
I use Endeavour OS, but I don’t rely on it; to explain, I currently have five distributions on my main laptop and I have four laptops that have Linux distributions on them; only ONE of them has an Arch derivative; needless to say, I can tinker and have something usable available to me, plus I have USB drives containing other instances and even other distributions; I’d have to have everything completely wiped out to be “out of business”; that would probably spell my own demise, so that’s nothing in the immediate plan for my systems or my actual life!

3 Likes

Regarding Flatpak, at least there is some verification process to get your app in the Flathub store, but updates are not checked. However, you do need to get through verification again if you change permissions or if someone else wants to take over maintainership.

4 Likes

One tip I was given is to delay the installation of packages by a few days, as malware insertions like these are usually caught quickly.

I don’t know how you would implement that though.

3 Likes