Bunch of AUR packages compromised

Comments

• stable_genius Member

  12:50PM edited 12:51PM

  npm involved in this mess, of course.

  Thanked by 2totally_not_banned tentor
• nick_ Member

  12:54PM

  Arch Users can use this script to check if they're affected.

  https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992
• nikio Member

  2:02PM

  yay.

  Well not really. There's a good reason normal people don't use AUR.

  Thanked by 1totally_not_banned
• Voltrina Member

  2:08PM

  It's always NPM
• ascicode Member

  2:20PM

  Chaotic AUR should abandon affected packages.
• oloke Member, Host Rep

  4:02PM edited 4:07PM

  If anyone has anything from AUR installed, it may be a good idea to not perform updates right now. Seems like entire AUR currently is getting attacked with malicious packages:

  

  There are more and more packages getting infected in recent hours, now using different malicious js-digest package and bun package manager. List of malicious packages is now estimated at almost 900.

  Gaining maintainer access to AUR packages appears to be done via the mechanism of orphaned packages:

  They submit orphan request and if the maintainer does not respond to it in 2 weeks or if the package has been flagged as out of date for 180 days it the requester will be granted maintainer status.

  https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577/4
  https://old.reddit.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/

  Thanked by 4stable_genius JohnnySac layer7 totally_not_banned
• Neoon Community Contributor, Veteran

  4:15PM

  @oloke said:
  If anyone has anything from AUR installed, it may be a good idea to not perform updates right now. Seems like entire AUR currently is getting attacked with malicious packages:

  

  There are more and more packages getting infected in recent hours, now using different malicious js-digest package and bun package manager. List of malicious packages is now estimated at almost 900.

  Gaining maintainer access to AUR packages appears to be done via the mechanism of orphaned packages:

  They submit orphan request and if the maintainer does not respond to it in 2 weeks or if the package has been flagged as out of date for 180 days it the requester will be granted maintainer status.

  https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577/4
  https://old.reddit.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/

  I was about to update my Manjaro, big oof.
  That nobody notices that, is beyond me.
• tentor Member, Host Rep

  4:16PM

  @Neoon said:
  I was about to update my Manjaro, big oof.

  Wtf are you really using it?
• LowEndStalker Member

  4:24PM edited 4:24PM

  Good thing I've been lobotomized
• stable_genius Member

  4:28PM edited 4:30PM

  @oloke said:
  If anyone has anything from AUR installed, it may be a good idea to not perform updates right now. Seems like entire AUR currently is getting attacked with malicious packages:

  

  There are more and more packages getting infected in recent hours, now using different malicious js-digest package and bun package manager. List of malicious packages is now estimated at almost 900.

  Gaining maintainer access to AUR packages appears to be done via the mechanism of orphaned packages:

  They submit orphan request and if the maintainer does not respond to it in 2 weeks or if the package has been flagged as out of date for 180 days it the requester will be granted maintainer status.

  https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577/4
  https://old.reddit.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/

  Wow, their security etiquette is really amazing, about as safe as a free entry, no questions asked, orgy.

  No wonder they got ill.

  Thanked by 2oloke totally_not_banned
• Neoon Community Contributor, Veteran

  4:29PM

  @tentor said:

  @Neoon said:
  I was about to update my Manjaro, big oof.

  Wtf are you really using it?

  Its installed yes, actually I wanted to install Debian again but I got to lazy.
  It works, its bleeding clusterfucking edge, so everything can break at any moment but it works.
• layer7 Member, Host Rep, LIR

  5:00PM

  @oloke said:
  Gaining maintainer access to AUR packages appears to be done via the mechanism of orphaned packages:

  They submit orphan request and if the maintainer does not respond to it in 2 weeks or if the package has been flagged as out of date for 180 days it the requester will be granted maintainer status.

  Hi,

  if this is true, then someone with endless faith in humans was the architect of this security decisions Quiet adventurous

  That this was not already exploited long long ago?! Quiet surprising.

  Anyway, good catch security news wise!

  Thanked by 2oloke totally_not_banned
• Fubukibox Member

  5:20PM

  Good thing I haven't updated my steam deck yet... Valve did not sync the repo...?
• tentor Member, Host Rep

  6:29PM

  @Fubukibox said:
  Good thing I haven't updated my steam deck yet... Valve did not sync the repo...?

  Do they even use AUR?
• rpqu Member

  6:36PM

  

  Thanked by 1marcopolio
• Fubukibox Member

  8:01PM

  @tentor said:

  @Fubukibox said:
  Good thing I haven't updated my steam deck yet... Valve did not sync the repo...?

  Do they even use AUR?

  they use their own arch repo iirc
• stablecloud Member, Patron Provider

  8:03PM

  People need to stop installing random crap from the AUR.
• totally_not_banned Member

  9:36PM edited 9:37PM

  @stable_genius said:

  @oloke said:
  If anyone has anything from AUR installed, it may be a good idea to not perform updates right now. Seems like entire AUR currently is getting attacked with malicious packages:

  

  There are more and more packages getting infected in recent hours, now using different malicious js-digest package and bun package manager. List of malicious packages is now estimated at almost 900.

  Gaining maintainer access to AUR packages appears to be done via the mechanism of orphaned packages:

  They submit orphan request and if the maintainer does not respond to it in 2 weeks or if the package has been flagged as out of date for 180 days it the requester will be granted maintainer status.

  https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577/4
  https://old.reddit.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/

  Wow, their security etiquette is really amazing, about as safe as a free entry, no questions asked, orgy.

  No wonder they got ill.

  Yeah, if i'm installing something from a third party repository the last thing i would want is there being a possibility of a random maintainer change. I've chosen to trust this repo and this maintainer (or whoever that person feels to make a good successor) and certainly not some random guy who managed to hand in a largely automated request.

  @layer7 said:
  That this was not already exploited long long ago?! Quiet surprising.

  Seriously.