this post was submitted on 12 Jun 2026

305 points (99.7% liked)

Technology

85357 readers

5167 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

305

400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers (cybersecuritynews.com)

submitted 19 hours ago by rafssunny@lemmy.zip to c/technology@lemmy.world

68 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[–] Cease@mander.xyz 1 points 4 minutes ago

I think a lot of people are confusing what the AUR actually IS. It is NOT the official package repository used by Archlinux - it's more like a bunch of community install scripts for stuff that isn't officially supported yet - for popularity or other reasons.

So for all those people complaining and saying "debian does it better" it's very likely that you would not even HAVE a package to install and would have to come up with a build script on your own - the AUR allows you to skip this and instead just verify that the script itself isn't malicious, which is usually fairly obvious.

A lot of people here seem to be under the impression that all of this effort should be abstracted for them - but that's what you chose when you left windows - a system that you control intimately with a necessitation to actually do some upkeep yourself because a giant company isn't doing it for you.

In other words. RTFM and stop expecting other people fix all your problems for you, because that's exactly how windows got to how it currently is.

[–] xthexder@l.sw0.com 3 points 1 hour ago (1 children)

Not even having npm installed as a system package feels like a personal win right now. I'd like to think I would have caught this due to the number of dependencies it would introduce to my system. node_modules seems like it's been the source of most of the recent CVEs I'm hearing about.

[–] fxdave@lemmy.ml 3 points 50 minutes ago* (last edited 49 minutes ago)

I develop inside docker for this reason too

[–] mathers@l.mathers.fr 3 points 2 hours ago

[–] BlackLaZoR@lemmy.world 8 points 4 hours ago* (last edited 4 hours ago) (1 children)

Expecting user to inspect install scripts is retarded. And this is the result.

[–] GameEngineer@infosec.pub 3 points 1 hour ago (1 children)

So what would the alternative be? If the resources or desire don't exist to make a package official, how else would you install it?

[–] BlackLaZoR@lemmy.world 1 points 1 hour ago (1 children)

You're missing the point entirely. I'm talking about inspecting the scripts not about making packages

[–] GameEngineer@infosec.pub 1 points 37 minutes ago

Sorry if I was unclear. You usually don't inspect the install scripts for official packages since you put the trust in the official team. You don't trust(or at least shouldn't) AUR packages, hence you should inspect the install script for those packages. I don't really see what the alternative would be.

[–] misterrabbit@lemmy.world 25 points 9 hours ago (3 children)

Been saying for years that people need to stop treating the AUR like a repo, when it's more akin to curl installscript.sh | bash.

[–] HaraldvonBlauzahn@feddit.org 5 points 4 hours ago* (last edited 4 hours ago)

So, better to use a safe language, and use

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh

right??

(I copied that from https://rust-lang.org/tools/install/ just a second ago....)

[–] Cethin@lemmy.zip 2 points 3 hours ago (1 children)

But it is a repo. It's just an unofficial one. I don't know how you use it without understanding this. It's not far from perfect, but it is useful.

[–] gergolippai@lemmy.world 3 points 2 hours ago

the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably "trust" it (especially when it's listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.

[–] goatinspace@feddit.org 8 points 8 hours ago

Some packages pull files from personal dropbox...

[–] Summzashi@lemmy.world -5 points 3 hours ago (1 children)

Another win for Windows

[–] Grimtuck@lemmy.world 1 points 10 minutes ago

What was there other win?

[–] Tetsuo@jlai.lu 73 points 19 hours ago (1 children)

I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.

I'm hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.

I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it's safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that's at least a positive.

[–] yesman@lemmy.world 68 points 19 hours ago* (last edited 19 hours ago) (2 children)

The article has instructions to do exactly that.

Users who regularly install AUR packages should take the following steps immediately:

Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages

Audit recent PKGBUILD history for any packages installed between June 10–12, 2026

Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed

Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit

Consider using AUR helpers with PKGBUILD review prompts enabled by default.

The Checklist of infected packages

[–] Tetsuo@jlai.lu 23 points 18 hours ago (11 children)

Ok, but I was expecting something a bit more automated then opening a list of package in kate and comparing it to my list of installed AUR package... Plus it's 400 package so that's a lot of things to check and plenty of space to miss one package by manually checking.

But I get it I'm lazy and just need to script something myself. This is affecting so many people I thought we would have a script to check quickly if you are "infected".

[–] wonderingwanderer@sopuli.xyz 2 points 5 hours ago

It's at the bottom of the doc:

echo "Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)..."
echo

found=()
for pkg in "${INFECTED_PKGS[@]}"; do
    if pacman -Qi "$pkg" &>/dev/null; then
        found+=("$pkg")
    fi
done

if [[ ${#found[@]} -eq 0 ]]; then
    echo "Clean: none of the known infected packages are installed."
else
    echo "WARNING: ${#found[@]} infected package(s) found:"
    for pkg in "${found[@]}"; do
        echo "  - $pkg"
    done
fi

Not sure why it uses -Qi instead of -Qm since there's no point in scanning pacman packages, but I'm no expert

[–] bigbangdangler@reddthat.com 26 points 18 hours ago (3 children)

It took Arch ~19 years just to get archinstall.

Something tells me there won't be a script.

[–] daggermoon@piefed.world 10 points 17 hours ago

The link is a script

[–] esc@piefed.social 2 points 15 hours ago

Arch had curses based installator for a long time, it became unmaintained.

load more comments (1 replies)

[–] 0x0@infosec.pub 5 points 14 hours ago

You could probably find it on aur lmao

[–] CaptDust@sh.itjust.works 16 points 18 hours ago* (last edited 18 hours ago)

CachyOS community seems to have a detection script, I have not vetted this run at your own discretion.

https://discuss.cachyos.org/t/aur-compromised-400-packages-affected-20260611/31040

[–] yaroto98@lemmy.world 6 points 18 hours ago* (last edited 18 hours ago)

Here's a script:

https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992

[–] Holytimes@sh.itjust.works 6 points 18 hours ago (3 children)

how many aur packages do you have? Most people i know have like AT MOST 20 or so packages from the aur. Which takes less then 2 mins to manually check against the list.

load more comments (3 replies)

load more comments (5 replies)

[–] gemakey@lemmy.world 4 points 18 hours ago (5 children)

Holy shit it's like all of Python.

[–] Eldritch@piefed.world 5 points 18 hours ago

Yeah, Python has been a massive vulnerability for a long while. And the AUR has similar issues. This is only getting widespread coverage now. But it's always been a risk.

load more comments (4 replies)

[–] xploit@lemmy.world 6 points 14 hours ago* (last edited 14 hours ago)

Welp if nothing else at least this has helped me to replace jack1 with jack2 (out of my 4 total Aur packages)

[–] lazylemons@lemmy.today 18 points 18 hours ago (1 children)

I have always been nervous about this type of thing happening with the AUR. Thankfully many packages I used to need the AUR for have since added native versions or made flatpaks. I hope AUR users don't have too many issues from this!

[–] Holytimes@sh.itjust.works 11 points 18 hours ago (2 children)

flatpaks arn't any safer and with how poor the sandbox is handled by 99% of devs. Hell flatpaks have a new issue every other month. Its almost more often to see a new flatpak problem then aur problem.

Its literally no safer in reality sure on paper its safer but reality has proven that flatpaks just are not some magical fix to this problem.

Hell half the time when flatpaks do have issues they go unaddressed or fixed for months after they are found. While AUR problems get smacked real fucking fast after they are found.

[–] anyhow2503@lemmy.world 1 points 40 minutes ago

I haven't heard about all of these flatpak malware incidents.

[–] Eldritch@piefed.world 5 points 18 hours ago

The one positive with flatpak is that it allows for universal deployment. A lot of projects are providing official builds. But you are still relying on them to vet what they put in.

[–] malloc@lemmy.world 5 points 17 hours ago* (last edited 17 hours ago) (2 children)

Is this the first time AUR has been compromised to this degree?

Given how changes are often unvetted, I am surprised this hasn’t occurred before.

[–] de_lancre@lemmy.world 4 points 14 hours ago (1 children)

Is this the first time AUR has been compromised to this degree?

I do believe so, yes. There was couple of cases in last year, but never to this extend. If I understand correctly, reading arch thread, it something to do with the fact that anyone can "adopt" orphaned package on AUR. Which is kinda wild.

load more comments (1 replies)

[–] tempest@lemmy.ca 2 points 14 hours ago (1 children)

A lot of the AUR is just build scripts for GitHub repos ...

[–] goatinspace@feddit.org 1 points 7 hours ago

Or dropbox

load more comments