Looks like the Arch Linux AUR (Arch User Repository) needs some better security and package checks - as some malicious users compromised a lot of packages.
For those who aren't clear on the details - the AUR is a community-driven way of providing extra software for Arch Linux. Anyone can submit a package to it. This is completely separate to the actual Arch Linux packages which were not hit.
There's a thread on the public AUR Mailing List with people reporting packages, where it seems like over 400 packages were hit with the issue. Arch packager Jonathan Grotelüschen mentioned work was ongoing to "reset/delete all malicious commits and ban the accounts".
From the packages that were changed, they were made to include npm (a package manager), which is then used to pull in some sort of keylogger / credentials stealer - so it's really quite a shocking security breach to have affected so many different packages.
Hopefully the mess will get sorted fully soon, and for some improvements to the packaging processes to prevent this from happening in future. Especially with the rise of AI bots, and how much easier this sort of thing has become thanks to them - it could end up a lot worse in future.
Oh dear.
Article taken from GamingOnLinux.com.
About the author - Liam Squires-Hand
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can follow me personally on Mastodon [External Link].
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
10 comments
Not panicking, for now, as I don't use npm or have any apps that do. But I agree with the sentiment: Oh dear.
0 Likes
I use Arch, by the wAAAAAAAAAAAAAAAAAAAAAAAAAAAAH!!!!!
4 Likes 😂 (3)👍 (1) See more...
Liam Squires-Hand 34 minutes ago
Quoting: GrishnakhNot panicking, for now, as I don't use npm or have any apps that do. But I agree with the sentiment: Oh dear.The hit packages actually pulled in npm, which is then used to grab the malicious bits.
0 Likes
I too have been avoiding stuff that use npm like the plague... turns out it was not an excess of paranoia. 😆
0 Likes
ROllerozxa 29 minutes ago
> so it's really quite a shocking security breach to have affected so many different packages.
The methodology of the attacker seems like the most obvious way to attack the AUR. There are 15000+ orphaned packages on the AUR, where anyone can create an account and then adopt packages in mass. Then push updates and wait until someone who has the package installed with their AUR helper, maybe happens to be a bit sleep deprived that day, and just runs an AUR update without inspecting the PKGBUILDs too much.
AUR being user-generated content, unsupported, at your own risk, whatever... aside, this along with the compromised CEMU Linux AppImage makes me feel that the Linux desktop community is in for a real rude awakening when it comes to security that has been neglected in many ways. (even the XZ Utils backdoor was largely targeting servers!)
The methodology of the attacker seems like the most obvious way to attack the AUR. There are 15000+ orphaned packages on the AUR, where anyone can create an account and then adopt packages in mass. Then push updates and wait until someone who has the package installed with their AUR helper, maybe happens to be a bit sleep deprived that day, and just runs an AUR update without inspecting the PKGBUILDs too much.
AUR being user-generated content, unsupported, at your own risk, whatever... aside, this along with the compromised CEMU Linux AppImage makes me feel that the Linux desktop community is in for a real rude awakening when it comes to security that has been neglected in many ways. (even the XZ Utils backdoor was largely targeting servers!)
1 Likes 👍 (1) See more...
mattaraxia 26 minutes ago
Quoting: GrishnakhNot panicking, for now, as I don't use npm or have any apps that do. But I agree with the sentiment: Oh dear.It seems the issue isn't that npm based packages got compromised, but rather npm was added to packages that don't generally need it. They are using npm *IN THE BUILD STEP* not adding it to your system.
Have a look at the list of packages in the thread, they cover a huge range of things.
1 Likes 👍 (1) See more...
seflasporin 20 minutes ago
They also changed the emails to be the same username but on gmail instead of whatever the original maintainers used.
The mailing list has a discussion on how to prevent this in the future. Hopefully some moderation process for adopting abandoned packages or even a limit on how many packages you can adopt in a set period, since the current process of nothing is insane. Adopting 400 packages in one go should be a major red flag for any moderator.
The mailing list has a discussion on how to prevent this in the future. Hopefully some moderation process for adopting abandoned packages or even a limit on how many packages you can adopt in a set period, since the current process of nothing is insane. Adopting 400 packages in one go should be a major red flag for any moderator.
0 Likes
For a quick check if you have any of the affected packages installed, pacman -Qm lists the local packages only, and then depending on the number, either manually ctrl+f them or diff the two lists...
1 Likes 👍 (1) See more...
ROllerozxa 11 minutes ago
Quoting: mattaraxiaIt seems the issue isn't that npm based packages got compromised, but rather npm was added to packages that don't generally need it. They are using npm *IN THE BUILD STEP* not adding it to your system.For the malicious packages I saw, the "npm install" was put into a .install file that bundles a hook in the package that gets run after installing a package. So just by looking at the PKGBUILD itself, it's completely fine apart from that addition (and there are packages that do need legit post-install hooks!), and nothing malicious happens when you build the package with makepkg, typically not as root.
It's only when you try to install the package with pacman that it runs the post-install hook... Which happens to run as root! Quite insidious, and I would say this is really clever from the attacker, but in reality it was probably devised by some AI agent with access to the Arch Wiki's packaging documentation...
0 Likes
mattaraxia 3 minutes ago
Quoting: ROllerozxaSo it *does* run on the system as a hook, not in the build step?Quoting: mattaraxiaIt seems the issue isn't that npm based packages got compromised, but rather npm was added to packages that don't generally need it. They are using npm *IN THE BUILD STEP* not adding it to your system.For the malicious packages I saw, the "npm install" was put into a .install file that bundles a hook in the package that gets run after installing a package. So just by looking at the PKGBUILD itself, it's completely fine apart from that addition (and there are packages that do need legit post-install hooks!), and nothing malicious happens when you build the package with makepkg, typically not as root.
It's only when you try to install the package with pacman that it runs the post-install hook... Which happens to run as root! Quite insidious, and I would say this is really clever from the attacker, but in reality it was probably devised by some AI agent with access to the Arch Wiki's packaging documentation...
Does it add npm as a dependency to the package then?
Either way though, every Arch user who's installed anything from AUR should look at the list. It's huge and covers a crazy range of things. I think I saw Window Maker and some COSMIC related stuff in there. Also a bunch of Perl and Python stuff that probably make the effective list much bigger, as other things depend on them.
0 Likes
Patreon
PayPal