- cross-posted to:
- archlinux@lemmy.ml
- cross-posted to:
- archlinux@lemmy.ml
On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).
The affected malicious packages are:
- librewolf-fix-bin
- firefox-patch-bin
- zen-browser-patched-bin
The Arch Linux team addressed the issue as soon as they became aware of the situation. As of today, 18th of July, at around 6pm UTC+2, the offending packages have been deleted from the AUR.
We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.
Follow up
There are more packages with this malware found.
minecraft-crackedttf-ms-fonts-allvesktop-bin-patchedttf-all-ms-fonts
What to do
If you installed any of these packages, check your running processes for one named systemd-initd (this is the RAT).
The suspicious packages have a patch from this now-inaccessible Codeberg repo: https://codeberg.org/arch_lover3/browser-patch
The Arch maintainers have been informed of all this already and are investigating.
I kinda watch the Arch devs packaged more stuff rather then relying on thr aur,Chaotic-aur (third party repo) solves mostly.
The arch maintainers package more software than most other distributions. Some items they leave in the AUR by choice, if the Dev prefers it there. The key is to use the AUR sparingly and only if you trust the packager.
Sorry, but I fail to see this.
I suppose if you’re accounting literally all independent distros, then you’re probably right. However, if we’d be more realistic and compare it to other well-established independent distros[1], then we notice that the vastness of the packages found in Arch’s repository is rather lackluster at the very least. Heck, by virtually all metrics, Arch together with its derivatives undoubtedly belong in the upper echelons of usage stats; only being second to the Debian-family of distros. IMO, however, the size of its repository absolutely doesn’t reflect this; as it’s only bigger than Slackware, Solus and Void. The inclusion of these smaller projects is arguably charitable on my side*. But to drive the point home very clearly: Arch’s repository is smaller than Alpine’s, Debian’s, Fedora’s, openSUSE’s and Gentoo’s with a ratio of (about) two to one (except for openSUSE).
I’m basically counting Alpine, Debian, Fedora, Gentoo, openSUSE, Slackware, Solus and Void. I didn’t count Guix System and NixOS for how their ‘repositories’ are built different and therefore not easily comparable to the others. ↩︎
I don’t know if raw package counts is the best comparison. Unlike say Fedora, Arch bundles everything related to a project in the same file. If you want Qt6-base on Arch, that is one package. If you want it on Fedora, it is going to have a lib, header, docs, and maybe a few other packages.
Just from personal experience, I do not have issues with finding packages in the main repos, with only a handful of my packages coming from the AUR. This is not the case with others, like Fedora where extra repos need to be added, like EPEL and RPM Fusion.
I 100% agree. Everyone raves about the AUR but it really feels like more of a necessity than a value add because so little is actually packaged for arch. And the AUR is definitely more annoying and feels more jank than just having it in your default repo.