A new pest appears in the Arch User Repository.
  • Feyd@programming.dev
    443·
    25 days ago

    I feel like these headlines are designed to be way scarier than the scenarios actually are to people that don’t know much about Arch Linux.

    • scintilla@beehaw.org
      3·
      25 days ago

      Seriously. It’s technically true that there was a RAT on the AUR but the way it’s titled is written to intentionally invoke times where it was more than one thing.

    • gazby@lemmy.zip
      21·
      25 days ago

      Just standard clickbait, but sounds more serious because we understand the extent to which they’re going out of their way to bend and withhold the facts.

    • eldavi@lemmy.mlEnglish
      28·
      25 days ago

      true and part of me suspects that it’s intentional on the part of arch users so that they can continue to tell the world that they “use arch btw” lol

  • MyNameIsRichard@lemmy.ml
    32·
    25 days ago

    The malicious packages were found and removed quite quickly. Also anyone who doesn’t blindly install from the AUR would have seen a suspicious .lol url. I suppose that a genuine package using a .lol url isn’t impossible, it’s just very unlikely,

    These attacks do demonstrate the strength and weakness of the AUR, that anyone can upload anything at any time. The same as flathub and the snap store. Treat all of them with appropriate caution.

    • Karna@lemmy.mlOP
      141·
      25 days ago

      Flatpak does have a concept of Verified Publisher. Many distros ship flatpak app store with default filter set to Verified Publisher only.

      • Daniel Quinn@lemmy.caEnglish
        11·
        25 days ago

        That sounds like a nice feature we could use for the Aur actually. We already have the votes value, but some sort of verification body could help rescue the Aur’s reputation.

      • Cricket [he/him]@lemmy.zipEnglish
        4·
        25 days ago

        Many distros ship flatpak app store with default filter set to Verified Publisher only.

        Also, if your distro doesn’t do this, you can do it yourself. You can modify, for instance, KDE Discover’s flathub repo to use the verified subset.

  • Samsy@lemmy.ml
    5·
    25 days ago

    Is AUR more risky than before? Nope. But this targets more people than ever. StreamOS and CachyOS are pretty popular these days.

    • Karna@lemmy.mlOP
      2·
      25 days ago

      This is the most likely reason why all of sudden there is an uptick in attempt to embed malware in AUR build scripts.

    • LeFantome@programming.dev
      71·
      25 days ago

      It is a well known risk but not something that was a real risk numerically. I mean, it still isn’t given the number of packages in the AUR.

      This is a couple of malicious packages discovered in a short period though. Not a good sign. It was really impact the AUR if polluting it with malware became common.

      You should always inspect AUR packages before installing them but few people do. Many would not even know what they were looking at.

  • Mactan@lemmy.ml
    4·
    25 days ago

    I saw two pkgbuild from the user, I don’t really know what I’m looking at in pkgbuilds generally but these were dead obvious something was bogus . downloading arbitrary files from some url like (segs)(dot)(lol) hopefully sufficiently defanged

  • Sina@beehaw.org
    1·
    23 days ago

    This not yet scary, scary starts when malicious actors take over orphaned AUR packages…

  • Mugita Sokio@discuss.onlineEnglish
    1·
    25 days ago

    This is why I just use the Chaotic AUR, knowing that something like this was being posted everywhere. My producer, Neigsendoig, does the exact same with his machine.

    We both use CachyOS anyway.