Quoting: ROllerozxa

Quoting: mattaraxiaSo it *does* run on the system as a hook, not in the build step?

Does it add npm as a dependency to the package then?

Yeah the ones I saw also added npm as a dependency to the package, which can be a red flag depending on what the package is about. If one is just using an AUR helper or does `makepkg -si` the difference isn't really whether it happens during build time or install time as the two happen at the same time, but there's a big difference in the privileges that the two run at.

Then I also heard that the payload in the npm package itself apparently installs an eBPF kernel module if it is running as root to disguise itself (link to analysis someone has made of the malware [External Link]), so it does not seem to be a coincidence they did it like that.

Well that is so much worse. This may be one of the worst Linux malware campaigns I've ever seen that wasn't targeting specific enterprises, will catch a lot of, probably mostly, desktop users. I mean the apple-music-desktop package is in the list. All kinds of things like that.

I wonder if it will dent all the momentum Arch has right now.

View this comment - View article - View full comments

Quoting: ROllerozxa

Quoting: mattaraxiaIt seems the issue isn't that npm based packages got compromised, but rather npm was added to packages that don't generally need it. They are using npm *IN THE BUILD STEP* not adding it to your system.

For the malicious packages I saw, the "npm install" was put into a .install file that bundles a hook in the package that gets run after installing a package. So just by looking at the PKGBUILD itself, it's completely fine apart from that addition (and there are packages that do need legit post-install hooks!), and nothing malicious happens when you build the package with makepkg, typically not as root.

It's only when you try to install the package with pacman that it runs the post-install hook... Which happens to run as root! Quite insidious, and I would say this is really clever from the attacker, but in reality it was probably devised by some AI agent with access to the Arch Wiki's packaging documentation...

So it *does* run on the system as a hook, not in the build step?

Does it add npm as a dependency to the package then?

Either way though, every Arch user who's installed anything from AUR should look at the list. It's huge and covers a crazy range of things. I think I saw Window Maker and some COSMIC related stuff in there. Also a bunch of Perl and Python stuff that probably make the effective list much bigger, as other things depend on them.

View this comment - View article - View full comments

Quoting: GrishnakhNot panicking, for now, as I don't use npm or have any apps that do. But I agree with the sentiment: Oh dear.

It seems the issue isn't that npm based packages got compromised, but rather npm was added to packages that don't generally need it. They are using npm *IN THE BUILD STEP* not adding it to your system.

Have a look at the list of packages in the thread, they cover a huge range of things.

View this comment - View article - View full comments

Ensign Ro cosplaying Claire Redfield in 2026 is definitely not a thing I expected, but here we are.

View this comment - View article - View full comments

Quoting: PlayingOnLinuxphone

Quoting: mattaraxiaIt's really wild. 10% by ~2030 seems just about inevitable now.

With the current speed, 9.5% is reached by end of 2027 and considering Steam hardware it should even be above 10% next year (if nothing slows down).

Maybe. I doubt it's quite that fast, but could be. I mean that is certainly by ~2030. There isn't another Windows 10 EOL coming, so it probably won't be quite as fast as the current rate non-stop, but I'm virtually sure it won't reverse. We also may just not need another Windows 10 EOL. Linux is hip now. It may just get even faster.

Steam Hardware is tricky. On the one hand the RAM shortage is hurting it. But that's probably balanced out by the RAM shortage driving Windows 10 EOL'ers to switch.

View this comment - View article - View full comments

It's really wild. 10% by ~2030 seems just about inevitable now.

Even as someone who's used Linux for literally decades now, I'd have never thought this would be such a thing.

View this comment - View article - View full comments

Quoting: Johnologue

Quoting: mattaraxiaIf you're them, having something like Blender, that collects no licenses, crush something like Unity, that does, is great.

Because then the money shops were spending on Unity . . . goes to agents instead. See they weirdly want all royalty free development platforms too, just . . . maybe not for good reasons . . .

They may also just be burning cash at an absurd rate and want their logo out there, it's just marketing. They think it will create goodwill with people who will become customers.

Unity isn't a 3D modeling application, it's a game engine. That would be if they were funding Godot.

I don't know much about the commercial/licensed 3D modeling programs though, so I can't say I'd make a better comparison.

Anthropic supporting open projects when their whole thing is "AI can't be open because then crazy idiot hackers will end the world with magic computers" is hypocritical. If you look up "Anthropic open source" on DuckDuckGo, they have a program to let open source developers use their AI...the AI itself in that case is all gratis, no libre. They want to be in control.

"I don't know much about the commercial/licensed 3D modeling programs though, so I can't say I'd make a better comparison."

Right. Unity is huge, it absolutely contains 3D modeling software, you sort of answer your own question there.

Blender used to be a game engine and a 3d modeling suite, but has gotten away from the game engine part. Unity used to be a game engine and has gotten more and more into being an all in one suite that includes 3d modeling.

I couldn't tell you how many Unity developers actually use it for their modeling, but absolutely Unity the company wants them to, funding Blender (and Godot) both would absolutely be seen as undermining them.

The tool is called ProBuilder and is absolutely part of Unity:

https://docs.unity3d.com/Packages/[email protected]/manual/index.html [External Link]

View this comment - View article - View full comments

Quoting: AllyTheProtogenI wonder what it is that they're getting at here. If I had to guess, they're bleeding money into the red like every other AI company, so wtf is up with sending out even more? And to Blender of all things?? Seeing how they're amoral enough to support AI in the first place, I highly doubt they're doing this out of the goodness of their hearts.

I suspect it makes sense in a sort of complicated way, it's fraught, sort of a my enemy's enemy thing from the POV of an open source project.

What Anthropic wants, is to be the tool for all development everywhere.

If you're them, having something like Blender, that collects no licenses, crush something like Unity, that does, is great.

Because then the money shops were spending on Unity . . . goes to agents instead. See they weirdly want all royalty free development platforms too, just . . . maybe not for good reasons . . .

They may also just be burning cash at an absurd rate and want their logo out there, it's just marketing. They think it will create goodwill with people who will become customers.

View this comment - View article - View full comments

One of the coolest things Valve has accomplished with the Deck actually has nothing to do with Linux, it's just getting PC developers to optimize for low end hardware for longer. BG3, Doom, Death Stranding now, I'm sure there are plenty more.

View this comment - View article - View full comments

Quoting: LeprottoStill no controller support though.

I've been playing it with a Dual Sense controller, working great.

What's missing?

View this comment - View article - View full comments