To be fair basic checks should be done not just make account and in next 10 seconds accept abandoned package and publish malware
this post was submitted on 12 Jun 2026
112 points (98.3% liked)
Linux
65708 readers
405 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
Me, a Debian user watching that shitshow 😎
To potentially prevent this entire class of npm attacks in the future, you could edit
/etc/pacman.conf, uncomment
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg =
And set it to IgnorePkg = npm
Your system should prompt you to accept installing npm because it's in the ignore list. These packages set it as a dependency, so that gives you a chance to notice that something's off and refuse the install. This assumes you don't already have npm installed or need it for some reason.
edit: word is that bun command is being abused as well and may be worthwhile including in the space separated list:
IgnorePkg = npm bun
I feel like this always happens to npm specifically. They're definitely doing something wrong 💀
it's the way it's been setup; it needs a thorough revamping to make it as resilient as other supply chains.
not that other chains are bullet proof, it's just that npm people need to up their game to be atleast as good as the others.
That's another reason I like cachyos: they have a curated list of aur pkgs in their repo.
I too use CachyOS. But i am very new to it. Why are we more 'protected' than straight up Arch users? I like Cachy, but have a gripe with how some applications behave, especially Java based Apps, that have a native installer in AUR (not building from source). I have one application that is built in JAVA, and the text is so freaking small, all the pop-up windows open on the wrong place which makes the pointer inaccurate etc. But I digress. The question was more why should we feel more relaxed than the Arch guys and gals?
It's like having a "double check" from a trusted source, they compile selected stuff from the aur so I suppose it's a little more safe for the random user.
This is propably because app does not support fractional scaling. Some apps that does not support fractional scaling will either not be scaled (rendered at native display resolution), or scaled by system (will look blurry because window resolution does not match display resolution).
That makes sense. What is weird though is the dev wrote the app for multiple platforms, including Debian, RPM-based and a few others. So it not like it is one of those ‘compile only from source and good luck to yah’ kinda apps.
But thank you for the response. I do appreciate you taking the time!
attempt to download npm-based payloads during installation
Why npm and not python? It's installed on every arch system and wouldn't bring unnecessary attention 🤷
Because the NPM is a complete mess and it's super easy to exploit for supply-chain attacks by sneaking malware into one of the billion dependencies required by most popular packages.
But if you look at some of the packages, they explicitly added npm as a new dependency. It'd be much easier to sneak in a python script.
AUR "packages" are just a recipe file that runs some commands that sources packages from somewhere else and builds them then puts them in the format required by the AUR package manager.
Normally it's a source tarball downloaded directly from the project's Git repo. But it can also fetch and install a binary package (for closed source software). Or it can install Node modules, or Python modules etc.
Point is, you can't inject a script directly in AUR itself. You could add the malicious code directly to the recipe file but it would be obvious. You could also download a zip with the malware directly, but it would also be obvious.
So what they do is add the malware to modules published on another platform, and they're downloaded indirectly, as a dependency of the Nth grade.
It's very hard to detect, you can't really notice this kind of attack with a glance at the recipe.
I see. Thanks for the explanation.
But why would they care about supply chain attacks if they already have hacked into the package you're requesting? In that case, executing python scripts would be less noticeable
Here's the AUR recipe (PKGBUILD file) for a random package:
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nautilus-git
This is a standard format for the recipe. It's Bash code used to define variables and functions.
You'll notice there's no place to sneak in a Python script. There is some brief Bash code in the functions but any major stuff would stand out immediately. So would an command that fetches a malware zip from a weird URL.
Meanwhile, if you add node or python to the dependencies, and then run a command that installs a perfectly legit npm or pip module, nobody would bat an eye. It's impossible to figure out that among the many upstream dependencies of that module there might be one that was subverted to discreetly run malware.
AUR is a very bad idea tbh and should not be used by the faint of heart. It makes it entirely too easy to pull this kind of crap.
AUR itself is fine, the issue in this case is more with the automated system allowing anyone to take over orphaned/abandoned packages. This is a targeted attack leveraging that system.
AUR is a great idea, misusing it is a bad idea.
this is like the 4th npm vulnerability in months, they used that because npm is shit and easy to exploit
What a terrible article.
"Multiple" packages mentioned in the title, but they're unable to actually name more than one in the article...
//edit
Actually, they did leave a link to the mailing list thread at the very end.
I should learn to read the entire article...
I was wondering 😅 Usually this source produces good content lol
.... how do i make npm generally not work on Linux? I don't use it and with how attack vectors are the majority of cases via NPM... and can be shipped as a binary to .
Environment variables pointing to /dev/null? Application firewall? Or would just blocking some domain/IP suffice?
sudo {package-manager} remove npm nodejs sudo {package-manager} purge npm nodejs
npm: sudo tee /usr/local/bin/npm >/dev/null <<'EOF' #!/bin/sh echo "npm is blocked on this system." exit 1 EOF
sudo chmod 755 /usr/local/bin/npm
npx: sudo tee /usr/local/bin/npx >/dev/null <<'EOF' #!/bin/sh echo "npx is blocked on this system." exit 1 EOF
sudo chmod 755 /usr/local/bin/npx
Might break somethings but that's a part of boycotting something I guess.
Thanks, but
and can be shipped as a binary to
Maybe, just maybe, and nearly unmoderated repository where everybody can create packages, is not so secure after all? /s
And AUR is the reason I keep arch miles away from any of my systems.
Nobody ever says the AUR is safe. In fact they say specifically that it's not; for exactly the reasons you mention.
That's why it's the Arch USER Repository. You take your fate in your own hands when you choose to use it.
As for your comment about using a distro that has everything in the main repo? How so? Every flavour has software that isn't included in the main repos. For Arch based systems, that means either the AUR or Flatpaks. For Debian based systems, that means adding new repos to your sources, which is exactly as unsafe as the AUR in most cases, or using Flatpaks.
If you've ever added a repo on Ubuntu, than you've essentially used their version of an AUR. The end result is no different.
You do have the choice to simply not use the AUR. Has nothing to do with using Arch or not.
And no one has ever claimed the AUR to be safe.
yeah, it's essentially, you want software that's no the official repo go there.
Or you coukd just use Arch without installing an AUR helper?
And then, where get I 70% of my packages I need? For example a useful browser like brave? Yeah ...
Anywhere else, I just need the package from the brave project or their repo. I trust the brave project, I do not trust the AUR for reasons.
There is an install script for linux front and center on the page (classic curl into sh). For other distros, they're having you add their own repository and install from that. Just as sketchy.
It's unwise to trust Brave, anyway.