AUR packages compromised with Infostealer and Rootkit

Posted by keyle 13 hours ago

AUR packages compromised with Infostealer and Rootkit(discourse.ifin.network)

234 points | 161 commentspage 2

DavideNL 2 hours ago|

Would using traur have prevented this attack?

https://github.com/Sohimaster/traur

nialv7 8 hours ago||

third time this has happened:

https://news.ycombinator.com/item?id=17501379 https://news.ycombinator.com/item?id=44607740

keyle 8 hours ago||

More news is coming out about this:

https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised

I toyed with the idea that someone should write a binary that simply emails, or alert you when it's been run... as a canary... and call that `npm`.

At this point, not renaming the npm binary is a big risk.

WhyNotHugo 5 hours ago||

This is one of the aspects of AUR which never fully convinced me: it purely hosts user-generated content, there's no review process or alike.

I'd really prefer to see a model where a 'community' repository contains user submitted packages which have at least one Trusted User review the package before it's merged in. This doesn't just prevent malware, but also common mistakes in general.

kpcyrd 4 hours ago||

This is essentially what the [extra] repository is. Not using the AUR and sticking to official Arch Linux packages exclusively is a very valid and reasonable choice (that I follow myself actually).

A large number of "an Arch Linux update broke my system" is very likely due to incorrect AUR use that AUR helpers don't handle for you. There's an elaborate writeup here from just 2 months ago: https://lists.archlinux.org/archives/list/arch-dev-public@li...

WhyNotHugo 3 hours ago||

Unless things have changed in recent times, packages in [extra] are maintained by TUs. Random users can't submit packages.

carols10cents 3 hours ago||

How does a user become a Trusted User? Who is paying them to review everything?

cf100clunk 4 hours ago||

Lots of discussions now, from different source articles:

https://hn.algolia.com/?dateRange=last24h&page=0&prefix=fals...

Retr0id 8 hours ago||

I haven't used Arch for a few years now, but when I did the AUR was my favourite aspect.

It was never perfect from a security PoV, but in 2026 this kind of trust model feels increasingly scary.

goodpoint 6 hours ago|

We are pretty far from "never perfect"

secret-noun 7 hours ago||

Here's a commit showing how they did it: https://aur.archlinux.org/cgit/aur.git/commit/?h=pass-cli&id...

Internet archive URL: https://web.archive.org/web/20260611213640/https://aur.archl...

hootz 5 hours ago||

There are some AUR hooks that can help. I use https://github.com/Sohimaster/traur which also has scans for orphan package takeover patterns.

lordleft 8 hours ago||

This is especially gnarly as more people have been picking up arch distros as of late (like CachyOS).

nickjj 6 hours ago||

On the bright side you can get quite far without the AUR.

I have 1,135 packages installed. Only 3 top level packages are from the AUR and 2 of those 3 are from the same author, they just happened to split their packages into a client / server architecture.

simoncion 5 hours ago||

This is similar to my situation with Gentoo. Across my Gentoo systems, I have exactly one package installed from an "overlay" [0], and that's Steam. Everything else is straight out of the official package tree.

[0] ...which is -IIRC- Gentoo's term for a user-provided and entirely-unvetted collection of packages...

scary-size 8 hours ago||

Installed CachyOS to replace my Win 10 installation a month ago. Not looking back! But yeah this sucks, I've mostly used Ubuntu with apt in the past. Pacman and makepkg felt a bit weird to use in the beginning.

Matl 5 hours ago||

Best to stick to official repositories only.

yaakushi 5 hours ago|

Not the first time this has happened recently. There were a few emails in the AUR list a few weeks ago about malicious packages, and a few reports on IRC too. The only difference in the campaign back then was the malicious npm package name (`linux-utils` in the campaign a few weeks ago).

More comments...