442
you are viewing a single comment's thread
view the rest of the comments
[-] Tetsuo@jlai.lu 89 points 1 month ago

I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.

I'm hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.

I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it's safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that's at least a positive.

[-] yesman@lemmy.world 84 points 1 month ago* (last edited 1 month ago)

The article has instructions to do exactly that.

Users who regularly install AUR packages should take the following steps immediately:

Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages

Audit recent PKGBUILD history for any packages installed between June 10โ€“12, 2026

Rotate all credentials โ€” browser passwords, SSH keys, API tokens, and cloud access keys โ€” if any flagged package was installed

Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit

Consider using AUR helpers with PKGBUILD review prompts enabled by default.

The Checklist of infected packages

[-] Tetsuo@jlai.lu 29 points 1 month ago* (last edited 1 month ago)

Ok, but I was expecting something a bit more automated then opening a list of package in kate and comparing it to my list of installed AUR package... Plus it's 400 package so that's a lot of things to check and plenty of space to miss one package by manually checking.

But I get it I'm lazy and just need to script something myself. This is affecting so many people I thought we would have a script to check quickly if you are "infected".

Edit : thanks for the numerous script sent as reply ! But I'm all set now, thanks !

[-] bigbangdangler@reddthat.com 38 points 1 month ago

It took Arch ~19 years just to get archinstall.

Something tells me there won't be a script.

[-] daggermoon@piefed.world 15 points 1 month ago

The link is a script

[-] Goodlucksil@lemmy.dbzer0.com 6 points 1 month ago

A lot of those 19 years were times where only nerds used arch.

[-] esc@piefed.social 5 points 1 month ago

Arch had curses based installator for a long time, it became unmaintained.

[-] CaptDust@sh.itjust.works 24 points 1 month ago* (last edited 1 month ago)

CachyOS community seems to have a detection script, I have not vetted this run at your own discretion.

https://discuss.cachyos.org/t/aur-compromised-400-packages-affected-20260611/31040

[-] 0x0@infosec.pub 7 points 1 month ago

You could probably find it on aur lmao

[-] NebulaNymph@programming.dev 3 points 1 month ago

I haven't used kate but does it not have some sort of easy search?

ex. pacman -Qm to list AUR packages; should display the 3/4 pkgs you have installed. Then just search in kate for those 3/4 results?

Alternatively cat & grep in the terminal is pretty straight forward.

That is if it's 3/4 pkgs that are from AUR, but if someone has hundreds installed that is a bigger issue on its own.

[-] shweddy@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

Damn how long is the list when you

pacman -Qm
[-] Tetsuo@jlai.lu 2 points 1 month ago

Am I missing something ?

Just because I have 3/4 package on my system doesn't mean the 400+ list of affected package gets shorter on the other side...

I'm actually pretty cautious with AUR and I only install them when there is no other options.

[-] m4ylame0wecm@lemmy.zip 9 points 1 month ago

Especially for a small list, 3-4, that you actually need to check, what's the actual issue? Open list of 400, ctrl+f for the few names you care about, move on.

[-] shweddy@lemmy.world 5 points 1 month ago

I was just curious because I didnt think it was so tediuous to check against an alphabetical list on a website using ctrl+f. But thats just me. It took me less than a minute to check my 8 aur packages against the list

[-] dafta 1 points 1 month ago
comm -1 -2 <(pacman -Qqm | sort) <(curl -s https://md.archlinux.org/s/SxbqukK6IA | sort)
[-] gemakey@lemmy.world 6 points 1 month ago

Holy shit it's like all of Python.

[-] Eldritch@piefed.world 7 points 1 month ago

Yeah, Python has been a massive vulnerability for a long while. And the AUR has similar issues. This is only getting widespread coverage now. But it's always been a risk.

[-] HaraldvonBlauzahn@feddit.org 1 points 1 month ago

Yes, we need a kind of Debian for Python.

Part of the solution could be the Guix package manager. Part could be the commercial offerings, like Anaconda.

[-] CaptDust@sh.itjust.works 3 points 1 month ago

Well, those are mostly extension libraries, stuff "normally" installed using pip. Arch is kind of unique that they encourage using system aur over pip, npm and other package managers. While it is a big radius, none of the python packages stick out to me, but maybe I just haven't encountered the popular ones.

[-] iocase@lemmy.zip 5 points 1 month ago

The attackers specifically targeted orphaned projects on AUR so it's no wonder most of those aren't familiar to us.

[-] esc@piefed.social 3 points 1 month ago

It isn't really all that unique? Debian does it, el does it, probably almost any popular distro?

[-] CaptDust@sh.itjust.works 1 points 1 month ago

I suppose it's become more common since PEP 668 was introduced, less unique these days.

[-] flying_sheep@lemmy.ml 2 points 1 month ago

Arch usually doesn't re-package Python packages that aren't needed for something else, meaning they end up in the AUR. I maintain several there, and when I stop using them I abandon them. I wouldn't be surprised if some of the ones I used to maintain are on the list

[-] historicaldocuments@lemmy.world 2 points 1 month ago

Well, nothing to do but start at the first one and work our way down...

this post was submitted on 12 Jun 2026
442 points (100.0% liked)

Technology

86408 readers
2180 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 3 years ago
MODERATORS