Settings

Theme

Over 400 Malicious packages found in Arch AUR

lists.archlinux.org

12 points by Hydrocarb0n 19 days ago · 2 comments

Reader

Hydrocarb0nOP 19 days ago

Attackers (or a coordinated set of compromised accounts) targeted many orphaned AUR packages—those without active maintainers. They pushed commits that added lines like this to the PKGBUILD (or related build files):bash

npm install atomic-lockfile ...

(Exact variations exist, but that's the core pattern.) This affects ~408 packages according to reports.

When users (or AUR helpers) build these packages with makepkg, it executes npm install, which downloads and runs the atomic-lockfile npm package. That package was published very recently and includes a preinstall script (a Rust binary at ./src/hooks/deps) that runs automatically during installation.

gnabgib 19 days ago

Discussion (205 points, 11 hours ago, 123 comments) https://news.ycombinator.com/item?id=48500447

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection