this post was submitted on 12 Jun 2026
200 points (99.5% liked)

Linux

65935 readers
505 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
200
Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware (www.phoronix.com)
submitted 1 week ago by Virual@lemmy.dbzer0.com to c/linux@lemmy.ml
84 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] thingsiplay@lemmy.ml 38 points 1 week ago* (last edited 1 week ago) (4 children)

As an user of the AUR, this is devastating news to me. I am also guilty of accepting updates without reading the latest changes, even if yay asks me if I want to. This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer. And to at least have a look if something suspicious is going in with the recent changes in the package recipe. AND to read in the communities and news.

I don't understand why there still no official announcement as a warning from the Archlinux team at https://archlinux.org/news/ . Is there a different place for security news specifically about the AUR to subscribe to? EDIT: https://archlinux.org/news/active-aur-malicious-packages-incident/ They did it, an official message.

[–] trevor@lemmy.blahaj.zone 35 points 1 week ago (5 children)

The fact that the Arch maintainers seem to prefer Reddit over their own fucking news channel is what made me switch from Arch years ago. I got sick of upstream breaking changes fucking my system because they wouldn't notify people through official channels, only to find it later of /r/archlinux 🙄🙄🙄

[–] Aatube@kbin.melroy.org 18 points 1 week ago (1 children)

since the 2022 grub incident, Arch has done a great job at notifying the news channel when "manual intervention required" AFAIK, and I don't remember any instances of Arch maintainers only notifying Reddit (and I don't think they notified Reddit for the grub incident either lol).

[–] muhyb@programming.dev 3 points 1 week ago

It's been 4 years already? WTF?

[–] tanka@lemmy.ml 3 points 1 week ago (1 children)

What are you using now?

After the end of Win10 I moved to arch but I think my week end will be filled with moving again. ^^

[–] trevor@lemmy.blahaj.zone 5 points 1 week ago

On my desktop, CachyOS 💀

It was years ago when Arch pissed me off, but I couldn't resist Arch-based distros forever. So far, I haven't been burned.

On my laptop, Asahi Linux, which is basically Fedora ARM with a custom kernel. I'd recommend Fedora to most general users.

[–] ramenu@lemmy.ml 2 points 1 week ago

They made an announcement though

load more comments (2 replies)
[–] Aatube@kbin.melroy.org 7 points 1 week ago (3 children)

the arch news channel is for breaking changes to arch pacakges (so not the AUR) only. maybe you could subscribe to aur-general@lists.archlinux.org.

[–] thingsiplay@lemmy.ml 6 points 1 week ago

They are actually putting a message on the regular news feed about the AUR! https://archlinux.org/news/active-aur-malicious-packages-incident/ As it should be. It just took a bit too long in my opinion, as discussions are going on since yesterday.

load more comments (2 replies)
[–] araneae@beehaw.org 4 points 1 week ago* (last edited 1 week ago) (1 children)

This is a reminder to everyone to only install from the AUR for absolutely necessary stuff only, and only if you trust the maintainer.

Unfortunately not foolproof either. I have no infected packages that I know of because I happen to be on a new install, but I caught wind of the LAST AUR botnet infiltration and switched to flatpaks or source builds. Since then I drifted back to AUR for convenience. I thought I was being clever only using AUR packages when I could be "sure" the author of the original software package pushed to AUR, and this was easy since devs who build on Arch typically recommend AUR whether they maintain the package or not. Today I found out spoofing package ownership is apparently easy and so is spoofing git credentials.

I was on Endeavour and it was incredible, but I'm not That Power User and I feel like part of the problem. The worst part of all of this is its owing to an influx of users who want the same ease of use they used to enjoy, but in Windows SOP is installing whatever the fuck you want on Internet Explorer and bugging your sysadmin to fix whatever happens. Its probably really hard to be any kind of FOSS developer right now.

[–] thingsiplay@lemmy.ml 4 points 1 week ago

Yes, definitely not foolproof. This is more of a wake up call to be at least careful and reconsider every single AUR package one has installed. For me, I was lucky too. But in my case it wasn't pure luck that the few AUR packages I have installed aren't affected. See, because since years using the AUR (sparingly! including my own package :D ) I always feared off orphaned packages and removed them as soon as I could. This incident here is proof I was right.

For some stuff I also prefer the Flatpak, because I do not trust everyone on the AUR, as they operate on root rights! When I brought this up on Endeavor, they disliked my opinion (as a fresh user) and the trusted community members there explained to me that the AUR is way more safe than Flatpak, because there is a trust system of upvotes and everyone can flag the packages, and that Flatpak has a wrong sense of security. That is what they told me and totally ignored my issues with AUR... one of the reasons why I do not visit the EndeavourOS community... I digress...

load more comments (1 replies)
[–] bizdelnick@lemmy.ml 29 points 1 week ago (2 children)

More Than 400

1579

I don't use Arch BTW.

[–] taiyang@lemmy.world 6 points 1 week ago

Useful list for those who do use Arch; I've only got like two things from AUR and neither is on that list (although I kinda recognize a couple with slightly different names, like what, knock off plugins for official stuff?)

[–] chgxvjh@hexbear.net 3 points 1 week ago

I got yesterday an email how one of the packages from this list that I used to maintain was adopted.

[–] IEatDaFeesh@lemmy.world 12 points 1 week ago* (last edited 1 week ago) (2 children)

Ahh clearly Arch users didn't RTFM before installing shit. Skill issue.

PS: The above is an invitation to self-care, not an insult.

[–] ohshit604@sh.itjust.works 15 points 1 week ago (1 children)

I must say, Read The Fucking Manual is a bit more clear than Read The Friendly Manual.

[–] yetAnotherUser@lemmy.ca 9 points 1 week ago (2 children)

I disagree with the post you put here on a single thing: the manual is sometimes bad.

[–] wuphysics87@lemmy.ml 10 points 1 week ago (1 children)

Is that worse than not reading it at all? Often it is a lead to something more useful

load more comments (1 replies)
load more comments (1 replies)
[–] thingsiplay@lemmy.ml 7 points 1 week ago

Reading the manual clearly won't help with the issue here. This is clearly not an appropriate use of RTFM terminology here, because it does not apply. The problem here is not that the user needs to read before asking for help. The problem here is to understand the changes made in the script are malicious. And reading the manual won't help with that.

[–] ShinkanTrain@lemmy.ml 10 points 1 week ago

AUR

[–] KarnaSubarna@lemmy.ml 9 points 1 week ago

At this point, the count stands at 1500+ https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500

[–] sonofearth@lemmy.world 8 points 1 week ago (10 children)

Maybe maintenance of packages shouldn't just be handed over to newly created accounts. This is a design flaw on AUR's part. As Linux popularity rises, these types of attacks will just keep growing. There should also be some sort of system where it is easy to verify that the maintainer of the package is also the actual developer. Like brave-bin has brave has the maintainer who are also the creator. Just give a green check mark to them or something.

[–] davetortoise@reddthat.com 9 points 1 week ago (1 children)

"No way to prevent this" says only repository where this regularly happens

load more comments (1 replies)
[–] bitfucker@programming.dev 2 points 1 week ago (4 children)

Or maybe don't use AUR blindly? You're doing the equivalent of `sudo curl

| bash`. Who knows what the script is doing. So only do it if you truly trust it. That's why we have warnings plastered all over. That's also why a warning label and sticker exists.

load more comments (4 replies)
load more comments (8 replies)
[–] M33@piefed.world 8 points 1 week ago

Wow that’s bad 🫢

[–] starblursd@lemmy.zip 8 points 1 week ago* (last edited 1 week ago) (1 children)

There were announcements and security ping in the arch Linux community discord... But I wish they'd be more vocal on this outside discord especially given discords controversy as of late

Update: they finally posted about it in the arch news feed last night... A bit late but better than never. Npm removed the malicious package, but then the bad actors started using bun instead...

As others have proposed, I really think that orphaned packages should require a moderator of the aur to approve the commit and acquisition of an orphaned package. Currently nothing stops someone from spinning up accounts and hijacking these abandoned projects

[–] liinux@pawb.social 3 points 1 week ago* (last edited 1 week ago) (1 children)

There's a official Arch Linux D*scord?

[–] starblursd@lemmy.zip 3 points 1 week ago* (last edited 1 week ago) (1 children)

No it's unofficial but it's I believe the biggest/primary arch Linux community discord .

In their roles chanel you can pick one to get security pings.. major ones are typically also everyone pinged but some have those disabled

[–] floquant@lemmy.dbzer0.com 6 points 1 week ago

You'll pry #archlinux from my cold dead hands

[–] James@lemmy.ca 7 points 1 week ago (2 children)

The AUR is basically just a shortcut for downloading random shit off GitHub.

It gives un-experienced users a false sense of security.

load more comments (2 replies)
[–] MonkeMischief@lemmy.today 6 points 1 week ago (2 children)

Whelp...I've REALLY loved EndeavourOS for my laptop, especially because I felt I could mess around with stuff, but maybe this is my call to use something like Fedora or a OpenSUSE variant (I love Tumbleweed dearly).

Nothing against the incredible Arch, but I'm deffos that user who does

> yay 
> "Build files exist. Do clean build? N"  
> "View changes? N".

ENTER.

I want to learn, but also I'm a bit of a danger to myself if this malware threat is this broad.

[–] kuerbiskernoel@feddit.org 3 points 1 week ago (5 children)

Opensuse is great, been daily driving it for 1.5 years with no issues (issues were solved by booting an old snapshot and rolling back, updating again 2d later)

load more comments (5 replies)
[–] somegeek@programming.dev 2 points 1 week ago* (last edited 1 week ago) (1 children)

Have you heard about the recent fuckups of fedora? fedora is a shitshow.

If you just yolo with yay anyway, you will get compromised on any system you use, ni matter the OS or distro, my dude.

[–] MonkeMischief@lemmy.today 5 points 1 week ago

Have you heard about the recent fuckups of fedora? fedora is a shitshow.

Oh really? I guess I haven't. 😬

Yeah it was late here so I think I was poorly mushing two separate thoughts together there. I meant I was thinking of moving to a distro that isn't as bleeding-edge for the laptop I'm not updating every single day...But also I should find something that still has a nice large software variety so I stay off AUR.

OpenSUSE has the "Open Build System" which I've used for like one package. So that's pretty neat.

This is really tough because I have two gamers in the family using Nvidia cards I want to help move off of Windows, but I don't want them running into having to roll back as often as I have or fiddle too much.

So I was considering the KDE spin of Fedora for them...But yeah, the answer isn't so easy anymore lol.

[–] helix@feddit.org 4 points 1 week ago

How do I check if a system has been affected most easily? As far as I have seen it's related to the npm package atomic-lockfile, so would that be enough?

npm ls atomic-lockfile
[–] deforestgump@hexbear.net 3 points 1 week ago

GOTDAMN

[–] SocialistVibes01@lemmy.ml 3 points 1 week ago

(btw)

[–] chgxvjh@hexbear.net 3 points 1 week ago

Least surprising thing ever. Nothing is reviewed or approved, not even proforma

[–] whatiswrongwithyou@lemmy.ml 3 points 1 week ago

Dang, if only their packages were more up to date maybe this wouldn’t have happened.

[–] LadyCajAsca@hexbear.net 3 points 1 week ago (1 children)

the AUR ideally should have a dedicated team of moderators of packages round the clock but archlinux is a community distro, and you really shouldn't trust the AUR implicitly and treat it as literally downloading stuff from the internet through search because that's what it does most of the time.

I do use AUR though, and only one (obs-studio-liberty) is not endorsed by the programs I use from it

load more comments (1 replies)
[–] demizerone@lemmy.world 3 points 1 week ago

I learned 10 years ago not to use aur helpers because they hide the sources. Aurutils + vifm baby!

[–] zipkag@lemmy.world 2 points 1 week ago

Maybe someone here can advise. I ran two of the available "checking" scripts to see if I have any packages installed. Both came up with 1 package I have installed. It is gtkimageview, which is on the list.

However, if I look through the pacman.log I see it was installed on 2024-10 and last upgraded 2025-01. It seems to me that suggests I installed it before this all started, so I'm probably not infected?

[–] Aatube@kbin.melroy.org 2 points 1 week ago (7 children)

(hopefully this doesn't read as blaming the victims instead of the attackers but) I personally don't think it's that complicated to read the updates to AUR packages. It's not any more hard than only commenting after reading the links that people post here instead of just the headlines—which we all do, right?

[–] chgxvjh@hexbear.net 2 points 1 week ago (1 children)

I don't think it's immediately obvious that the PKGBUILD installing some shit with npm is malware.

load more comments (1 replies)
load more comments (6 replies)
load more comments
view more: next ›