Linux

65728 readers

508 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

127

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages (linuxiac.com)

submitted 15 hours ago by Vittelius@feddit.org to c/linux@lemmy.ml

48 comments fedilink hide all child comments

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (...)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

you are viewing a single comment's thread
view the rest of the comments

[–] lemmyvore@feddit.nl -1 points 11 hours ago (2 children)

Here's the AUR recipe (PKGBUILD file) for a random package:

https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nautilus-git

This is a standard format for the recipe. It's Bash code used to define variables and functions.

You'll notice there's no place to sneak in a Python script. There is some brief Bash code in the functions but any major stuff would stand out immediately. So would an command that fetches a malware zip from a weird URL.

Meanwhile, if you add node or python to the dependencies, and then run a command that installs a perfectly legit npm or pip module, nobody would bat an eye. It's impossible to figure out that among the many upstream dependencies of that module there might be one that was subverted to discreetly run malware.

AUR is a very bad idea tbh and should not be used by the faint of heart. It makes it entirely too easy to pull this kind of crap.

[–] lofi@piefed.social 1 points 7 hours ago

AUR itself is fine, the issue in this case is more with the automated system allowing anyone to take over orphaned/abandoned packages. This is a targeted attack leveraging that system.

[–] jdr@lemmy.ml 3 points 9 hours ago

AUR is a great idea, misusing it is a bad idea.