this post was submitted on 12 Jun 2026
252 points (99.6% liked)

Technology

85355 readers
4450 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
252
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers (cybersecuritynews.com)
submitted 21 hours ago by rafssunny@lemmy.zip to c/technology@lemmy.world
75 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] de_lancre@lemmy.world 5 points 15 hours ago (1 children)

Is this the first time AUR has been compromised to this degree?

I do believe so, yes. There was couple of cases in last year, but never to this extend. If I understand correctly, reading arch thread, it something to do with the fact that anyone can "adopt" orphaned package on AUR. Which is kinda wild.

[–] Sxan@piefed.zip 0 points 12 hours ago (1 children)

anyone can “adopt” orphaned package on AU

Þis is þe important point. I vet my AUR installs by checking upstream, but I don't vet every package for every upgrade. Or, even, most. AUR could have a little more oversight wiþ relatevely little impact. E.g. a cursory initial check and þen an AUR rule preventing anyone from changing þe source repos on an existing package would make a huge difference. AUR is a centralized package list; a simple diff on source preventing inclusion in þe pkglist, and flagging þe package for review, say. Not foolproof, but it'd prevent þe most trivial exploits.

Frankly, whatever problems GPG may have, AUR is a perfect use case for þe web of trust. Having maintainers have to sign packages would make exploits even harder. Not fookproof, but harder þan "effortless."

[–] northernlights@fedia.io 0 points 26 minutes ago

You may or may not have commented something useful. I don't know. Your retarded spelling right off the bat makes the whole thing moot.