Security News Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages

lokamoka820

lokamoka820

Level 47
Thread author
Verified
Top Poster
Well-known
Mar 1, 2024
3,615
3
12,421
4,569
Banana Republic
Content source
https://linuxiac.com/arch-linux-aur-malware-campaign-hits-multiple-user-contributed-packages/
Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation.

The issue was first reported on the Arch Linux aur-general mailing list, where contributors are tracking affected packages in a dedicated thread. Cleanup efforts are ongoing, with malicious commits being removed and related accounts banned.

Importantly, this incident affects only the Arch User Repository, not the official Arch Linux package repositories.

In this case, suspicious changes to AUR packages added npm commands unrelated to the original software. Community reports indicate that malicious logic is triggered during installation, frequently involving npm packages such as atomic-lockfile.

One clear example is the alvr AUR package, where a suspicious update added npm-related behavior to software that does not typically use npm. Other reports emphasize similar changes in additional packages, and Arch contributors are asking users to report further malicious commits in the central thread.

With that said, Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Click to expand...
 
  • Like
Reactions: nicolaasjan, Zartarra, Brownie2019 and 4 others
Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack - Phoronix

Just a day after Arch Linux developers believed they got their malware AUR incident under control with 1,500+ packages affected by malware, another round of of AUR malware is now being discovered. This latest round is more sophisticated as with code obfuscation to better conceal the intent.

Last night another round of malware in Arch Linux AUR packages was reported by developer a821. Various Node.js packages, a Plasma 6 applets package, some Firefox packages, the Aura browser, LibreWolf extensions, a NeoVim plug-in, and various other packages were all found with malware via obfuscated code. Shortly thereafter a821 reported back that the affected packages were taken care of.

Hours later, Nicolas Boichat reported more malware in AUR packages. Boichat discovered those latest malware bits using a local Gemma E2B AI model. The new malware attempt in AUR was described as "a bit more elaborate" in obfuscating the action around the Bun command.
obfuscated malware install command example

At this stage it's a bit surprising they don't completely shutdown AUR until they can better verify the security and safety of this user-supplied repository or at least implement new safeguards on changes.
Click to expand...
 
  • Like
Reactions: Gandalf_The_Grey and lokamoka820
Arch Linux Blocks New AUR Registrations Amid Malware Cleanup
Arch Linux is dealing with one of the largest security incidents to hit the Arch User Repository in recent memory, as maintainers continue cleaning up a wave of malicious package updates across the community-maintained platform.

Importantly, the AUR remains online, and packages are accessible. However, new account registration is unavailable, with the registration page returning a 503 Service Unavailable error. While not officially announced, this suggests Arch has temporarily blocked an entry point as it works through the cleanup.

The move follows an official Arch Linux warning notice dated June 12 about a “high volume” of malicious package adoptions and updates in the AUR. Maintainers are tracking down malicious commits and trying to prevent more from being pushed while preparing a permanent solution.

Arch also warned users may experience problems with new account creation, package updates, adoptions, and new package creation during the response.

Unfortunately, the incident appears far larger than early reports suggested. Initial public reports pointed to over 400 affected AUR packages, while later community tracking raised the number to more than 1,500. The final count may still change as maintainers continue auditing and removing malicious changes.
Click to expand...
linuxiac.com

Arch Linux Blocks New AUR Registrations Amid Malware Cleanup

Arch Linux’s AUR is still operational, while new account registration appears blocked during ongoing cleanup work.
linuxiac.com linuxiac.com
 
  • Like
Reactions: Gandalf_The_Grey

You may also like...