45
Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack (www.phoronix.com)
submitted 6 days ago by HaraldvonBlauzahn@feddit.org to c/archlinux@lemmy.ml
14 comments fedilink hide all child comments

Ouch.

top 14 comments
sorted by: hot top controversial new old
[-] voytrekk@sopuli.xyz 18 points 6 days ago

I think this shows that the process of changing ownership of an orphaned package needs to be a manual process.

Of course, AUR packages also need to be thoroughly vetted by the end users to avoid unexpected changes.

[-] starshipwinepineapple@programming.dev 13 points 6 days ago

So you remember how your helper asks you to see diffs ... you take a look at those and understand them before approving, right?

Because I'm getting the sense that people are not doing that

[-] KyuubiNoKitsune 2 points 6 days ago

And if you're not a developer?

[-] bitfucker@programming.dev 7 points 5 days ago

Then don't use an automatic AUR helper. Use chaotic aur if you must. Or use aurto

[-] starshipwinepineapple@programming.dev 3 points 5 days ago

Then learn to read the diffs. Most of the time they are changing the version number and package hash which is mundane and nothing to worry about. If more than that changed then that should make you curious why and dig deeper.

[-] KyuubiNoKitsune 2 points 5 days ago

I know how, I'm just saying, not everyone has the technical acumen.

[-] starshipwinepineapple@programming.dev 1 points 5 days ago

Right, and I'm saying that a lot of updates are mundane and easy for anyone to read. And if they aren't mundane then look into it. Try to learn. The alternative is to run code you don't understand and hope for the best which didn't work out for people here. So if you don't want to try to learn, and you don't want to blind trust, then the alternative is to not use the AUR.

Like one of the attack vectors was adding a "post install" step that was a bunch of obsfucated gibberish which should've been a red flag for anyone, technical acumen or not

[-] Attacker94@lemmy.world 2 points 6 days ago

Even if you aren't a dev, any user that chooses to use the aur should do their due diligence. There is a reason why I prefer flatpacks over aur, I don't want to have to check diff's every update.

[-] Thorned_Rose@sh.itjust.works 1 points 6 days ago

You don't need to be a developer to read diffs and package builds. I have memory and cognitive impairment and manage fine. I'm also not remotely into software programming.

[-] dadarobot@lemmy.ml 14 points 6 days ago

this is awful. the aur is my favorite feature of arch based distros.

[-] wuphysics87@lemmy.ml 4 points 5 days ago

Really? Not pacman?

[-] YiddishMcSquidish@lemmy.today 3 points 5 days ago

I wonder if this is because of steamOS switching to Arch, and they have a wider target now.

[-] deathmetal27@lemmy.world 3 points 5 days ago* (last edited 5 days ago)

Steam OS is immutable and does not enable AUR use by default.

Unless you're a power user you probably won't be using AUR on Steam OS.

[-] HaraldvonBlauzahn@feddit.org 3 points 5 days ago

Another thing is perhaps GenZ does not grok PC security. Security-wise, a Linux PC is very different from an iPhone, because everything shares the home folder.

this post was submitted on 14 Jun 2026
45 points (100.0% liked)

Arch Linux

9795 readers
1 users here now

The beloved lightweight distro

founded 6 years ago
MODERATORS
k_o_t@lemmy.ml