Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages

Posted by qwertox 3 hours ago

Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages(www.phoronix.com)

163 points | 69 comments

embedding-shape 3 hours ago|

As always a fair reminder to not install random 3rd party packages/libraries/applications without reviewing them, especially when there is zero vetting. Luckily this was constrained to AUR, which basically is a free-for-all package repository, with users being warned multiple times that it's vital to review anything before you install it, compared to the official repositories.

`rua` and other similar CLIs make it really easy to review the packages before installing them from AUR too, and if you are doing banking on the same computer, you really have no excuse not to review the software you depend on. Keeping the amount of packages low, only use what you need, also makes this a whole lot simpler when it's time to upgrade.

cosmic_cheese 1 minute ago||

I think it’s a great argument for some combo of immutable system files, installation of packages as user-local by default (making elevated manager privileges unnecessary), and components and programs being as little privilege as possible by default.

There’s bits and pieces of this in place with immutable distros, Wayland, and Flatpak but notable holes remain. The biggest one is that sandboxing is tied to the package format which I think is a mistake. Sandboxing and access permissions should be a system-level thing so even arbitrary binaries can’t easily slip through the cracks.

This wouldn’t fix the problem entirely, but it’d greatly limit the blast radius and make users of the distribution a less juicy target.

dbgobrrr 2 hours ago|||

> users being warned multiple times that it's vital to review anything before you install it, compared to the official repositories.

I think this stance should be re-evaluated. Arch Linux developers are doing a fantastic job and I am personally thankful to them - this is not in any way critical of them. And while I don't see an easy solution here, I just feel that the time of "warning users" is long gone with how much supply-chain attacks are ramping up these days.

Some other controls could at least alleviate the problem. Perhaps some form of peer-review and grace period before publishing could help here?

anon7000 1 hour ago|||

Idk. Arch does have official repositories that are actively maintained and vetted. AUR is for the vast amounts of random software that isn’t popular or important enough to be officially maintained.

I’m not sure how to find a balance. One reason to use Arch is to always have the latest software, especially if you’re gaming. (Need to run very recent kernels, GPU drivers, and DEs to support new graphics cards.) So that’s very different from other stable LTS distros which carefully pick the package updates they incorporate.

Anyways, I do agree package cooldowns and such make a lot of sense. Package managers should be pulling out the stops on all the free controls they can implement. I can understand why anything requiring compute or maintainer time is a non-starter. (Sidebar: I don’t feel the same way about npm. Microsoft can afford to run malware scanners and analysis tools on npm packages.)

https://wiki.archlinux.org/title/Official_repositories

beej71 39 minutes ago||

There's some big stuff in AUR like the binary VS Code and Chrome, fwiw.

newsoftheday 27 minutes ago||

I'm on Kubuntu and I install VS Code using Microsoft's repo and Chrome using Google's repo. Also I do Wine and Docker using their own repos. I can't imagine VS Code or even Chrome being put into the mainstream Kubuntu/Ubuntu repos nor why such a burden should ever be shifted to Canonical.

tjoff 12 minutes ago||

Since you are using the official repos thats not an issue. The issue is when the package creator is some rando on the internet.

mcv 47 minutes ago||||

It's definitely a sign that popular packages should be moved from AUR to the official repository. I've got some stuff from AUR simply because it's something I need and that's where it is, and I never really verify it's safe; I just trust it blindly. Clearly a bad idea. I guess I should learn to avoid AUR and when I do use something from it, we more aware it's an exception and I need to check it more thoroughly. That's something I normally only do only for stuff that's neither from AUR nor the official repo.

axus 18 minutes ago||

How much work is created (and for who) when a package is moved to the official repository?

embedding-shape 2 hours ago|||

Personally, what you suggest would defeat the purpose of the AUR, and what you describe is already applied to the official packages. If you want only the safe and stable stuff, don't use random packages from AUR :)

mcv 53 minutes ago|||

It's still surprising someone was able to infect so many packages. But I admit I don't really know how AUR works. Can anyone with access simply update anything? Do packages not have owners who check contributions?

jorams 39 minutes ago|||

Packages in the AUR have some number of maintainers. When a maintainer no longer wants to maintain the package they can disown it, and when all maintainers do so the package becomes orphaned. An orphaned package can then be adopted by any user.

At any time there's a large number of orphaned packages in the AUR, and the attacker(s) targeted those.

embedding-shape 38 minutes ago|||

> But I admit I don't really know how AUR works

It's basically GitHub (in terms of "User's generated content") but tailored and specific to Arch/Arch-derived distributions. Packages have owners, but everything is very "freeform" in general on the AUR. It wasn't uncommon you could be added as a maintainer by just sending a mail to the current maintainer, since it's basically "Hey let me contribute to your repository" (simplified), today people keep track a bit better and avoided that I've seen. But still, it's on a individual basis.

Just like GitHub, AUR is completely devoid of peer-reviews, users uploads their own PKGBUILD and share with others, and the expectation is that users review stuff before they install it, just like on GitHub, or just like on the internet in general.

tempest_ 11 minutes ago||

Yeah, the AUR is basically build scripts for github repos or a link to someones pre-built binary. It suffers from all the same problems that the underlying infrastructure suffers from. You could very easily argue that since github/npm/cargo/<your package manager of choice> has a supply chain issue so does the AUR.

cge 2 hours ago||

>`rua` and other similar CLIs make it really easy to review the packages before installing them from AUR too, and if you are doing banking on the same computer, you really have no excuse not to review the software you depend on.

What review should users do?

It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest. This was a mass attack against mostly low-use/orphaned/etc packages where maintainership was taken over or a different user uploaded a new version (itself a very simple, low-notice, low-oversight process), and many of the packages clearly had no connection to Node.js at all, so a user who knew enough about each package, and knew what npm was, might notice the oddity in the package, if they reviewed every line of the PKGBUILD, then reviewed the install scripts.

But legitimate AUR packages for packages connected to Node.js also use npm, for example, and at times, use npm install. A user would have to be familiar enough with Archlinux's build system to understand the difference between each part (eg, build() vs install scripts). They'd have to review every PKGBUILD, every install script, and every patch of every AUR package they install. For packages that actually do use npm/bun, they'd have to be familiar enough to know what uses were legitimate and what uses were not, and might have to be up to date on compromised dependencies. And this is still considering a mass attack that was not particularly hidden. Attacks could be made much harder to find.

Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system. They need to learn how to do this with, as far as I can tell, no real guidance: AUR itself, and the wiki's page on it, just warn that users should carefully review the PKGBUILD and install scripts, without giving any substantial guidance on what to look for or how to review anything. The warnings feel much more like liability-reduction than an attempt to be helpful.

At that point, what is AUR actually offering that installing the upstream package isn't? It feels like the suggested 'safe' way of using AUR would make it just as much work for the user, and require just as much knowledge, as either installing the upstream directly, or even making a package for it.

There is perhaps some room for LLM analysis here: Opus 4.8, Kimi latest, and even Qwen3.6 27B quickly catch at least the current round of malicious packages in my tests. But a motivated attacker could make that more difficult, or dangerous. And a user could also just have those models install the upstream package, with less risk. If they want to use pacman for management, they could likely even have those LLMs generate a package, with less risk.

embedding-shape 42 minutes ago|||

> What review should users do?

The same sort of review you'd do if a stranger sends over a project and says "compile and run this" and you actually want whatever it's supposed to do, so you start looking through it.

> It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest

That's very suspicious if the package you're about to install doesn't seem to actually need those things. Since "AUR === random strangers on the internet with zero trust", then you need to pay attention to those sort of things.

> Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system.

Yes, indeed. Same as if you come across a random C++ project on GitHub with 2 stars, do you just pull down the source and compile willy-nilly? Probably not, you carefully inspect it can actually do what you want, how it does it, and so on. AUR is basically like GitHub in this case, zero peer-reviews and users fully responsible for whatever they install.

> At that point, what is AUR actually offering that installing the upstream package isn't?

PKGBUILDs, so you don't have to write them yourself. Not more, not less, just a central place for random strangers to share PKGBUILDs that may or may not work for others.

beej71 29 minutes ago||

I hear you, but consider xz. I'm a professional with decades of experience and I'd be lying if I said I'd have caught that. How long would an audit have taken, realistically? You're not wrong, but I don't think the GP is, either.

SCdF 55 minutes ago||||

Not all tools are made for inexperienced people. Not everything is idiot proof. This is OK!

In my experience using the AUR:

1. when you first install the package you can read the build script (and you should). These are in a very standard structure, and if the one you are reading is weird and complicated consider not installing it. No one is forcing you to. Almost every build script I read just downloads a build from a tagged github release.

2. when you get an upgrade you are shown the diff. For almost every AUR package I use this is literally just changing the $VERSION variable and the subsequent $HASH of the download. It is trivial to see if anything (in the AUR script) is happening that is sneaky.

It's really not that scary. And if it's considered scary, there are literally dozens of other linux distros (not to mention Windows or MacOS) you could be using instead.

cge 11 minutes ago||

I'm not asking for myself. Yes, I understand the build process, and know what to check. I've also written PKGBUILDs before and have had packages in AUR. I'm sure you understand it too, as well as many people here.

But many users don't. As far as I can tell, there is very little actual guidance about what to look for, not even to the extent of what you explain here, on the wiki. Users are told to check the PKGBUILD, and warned about AUR-helpers being dangerous, but in practice, it seems AUR-helpers are widely used, and many users likely just click through PKGBUILDs they won't be able to understand.

And, again, this attack was a relatively obvious one. Other attacks could be made much harder to notice.

Worse, distributions like CachyOS are being broadly promoted to a user base who can't be reasonably expected to check over AUR packages themselves. Unlike ArchLinux, those sometimes do seem to promote AUR-helpers. In some cases, those distributions are apparently including AUR-sourced packages in their actual repositories.

Questions about these topics often result in typical Archlinux hostility. And in some sense, that's understandable: there are other distributions that most users should be using, and the frustration of people using Archlinux who shouldn't be is wearing. It is nice to have a distribution that offers the flexibility and space for experimentation that Archlinux does. It's one of the reasons I use it on some of my machines, while at the same time recommending against most others using it.

To some extent, this is just a wide cultural difficulty with Linux, and there isn't a clear answer. On one hand, you want enough gatekeeping to keep users away from potentially dangerous systems they have no interest in understanding, and that they'll rely on without understanding in situations where they shouldn't. On the other, you don't want to keep out users who are interested in learning.

yjftsjthsd-h 1 hour ago|||

> At that point, what is AUR actually offering that installing the upstream package isn't?

It produces package files that pacman can use. Sure, you can curl|sh or whatever, but that's a good way to litter stuff all over that you can't track or uninstall cleanly.

anthonj 3 hours ago||

I cringed hard when some people started to make pacman wrappers that could install from AUR directly.

I've installed stuff from the aur before but most of the times I prefer to skip the middleman and just navigate to the project website. A premade pkgbuild is not convenient enough to take the risk of typoquatting or the tactical npm or pip dependency.

OJFord 2 hours ago||

`yay` (one such wrapper) shows me the PKGBUILD diff on every update. The first time I install something I verify the URL, and check any install script etc. seems sensible; the vast majority of subsequent updates are changes to just version number & checksum. A typosquat attack would be very obvious.

(It's a bit vulnerable to it on first install, but so is 'just navigate to the project website [and click download]'.)

anthonj 2 hours ago||

But it's one middle man less.

Git repo have been attacked other times in the past, but a 500/1000 stars project still sounds more trustworthy than a user repository managed by randos with a couple of upvotes. I still use the aur for simple cases, but when I see aur packages depending on multiple other aur packages I immediately leave.

Grombobulous 2 hours ago|||

For me, this tradeoff isn’t worth it. I didn’t switch to Linux so that I can waste time going to websites and clicking “download” to update my programs like a Windows user.

The pacman wrappers you mention are crazy, though.

anthonj 2 hours ago||

I get it, but you only need to do that for the odd cases of packages not present in the official repo (not that common at all for me at least).

Also if the software is downloaded in the form of a git repo, you only needed to checkout the new tag and rebuild, don't need your browser at all.

mananaysiempre 1 hour ago|||

You then get the advantage of the OS’s package manager accounting for everything, however. It’s quite nice to not wonder whether there’s random stateful detritus throughout your system and what it might be affecting. (OK, to be honest there still will be, but much less of it, and a greater part of it will be attributable.)

bitmasher9 2 hours ago|||

I think the existence of the AUR puts less pressure on the official repository to have all popular software.

saghm 1 hour ago||

I think it's also a bit of a testing ground for the main repos as well. I maintained the `ruby-build` AUR package for a couple of years after the previous maintainer wanted to step down, but they eventually added it to the main repos and now it's maintained by one of the official people. (I don't recall ever having to do more than paste in the new release tag into the PKGBUILD each time and then generate the new .SRCINFO and checksums in terms of actual maintenance, although I'd test locally first before pushing of course).

pixelpoet 2 hours ago|||

> typoquatting

Perfect demonstration!

mqus 2 hours ago||

This sounds like your update process is quite involved then. Or do you just not do it?

anthonj 1 hour ago||

I only have a couple of things in /opt/ and some manually installed fonts, and vim plugins in my home. Everything else that I don't use often lives in the original cloned git repo in /home/projects and never really gets installed.

Of course the process breaks down for a large amount of packets, but I've never been in that situation. In part because the official repo is already large, and in part because I like minimalism.

If that even became an issue, I would manage a personal set of pkgbuild probably.

mkayokay 1 hour ago||

So from a quick read, it seems it installed "atomic-lockfile", "js-digest" or "lockfile-js" from npm. A list of affected packages is here [1].

Didn't find any quick info on how to check a system, so I ran the following command to find foreign packages and some date related infos:

> pacman -Qmi

Check the output against the list of affected packages.

Then, you can also grep for those files in various locations: > grep -rl "atomic-lockfile" / --include="package.json" --include="package-lock.json"

> grep -rl "atomic-lockfile" ~/.npm 2>/dev/null

> grep -i "atomic-lockfile" /var/log/pacman.log 2>/dev/null

Don't know if the packages delete themself after they run. I just wanted to provide some basic commands, as all the other infos I found didn't provide any help.

[1] https://md.archlinux.org/s/SxbqukK6IA

jeroenhd 1 hour ago||

The attacker used at least three Node dependencies in the attack, just checking for atomic-lockfile is not enough. The names js-digest and lockfile-js were also used, and at some point the attacker switched to bun instead of npm.

DavideNL 56 minutes ago|||

Also see: https://github.com/lenucksi/aur-malware-check

stefan_ 14 minutes ago||

I love that even when trying to put malware into Arch Linux AUR, the malware is still distributed through NPM. Legendary platform.

fooqux 31 minutes ago||

For those worried, I found a repo with a collection of up-to-date scripts and package lists to help check for any infections: https://github.com/lenucksi/aur-malware-check

bitmasher9 2 hours ago||

I’m not on Arch Linux, but I am on NodeJS a lot, which frequently suffers from similar types of attacks.

Who is doing package management right these days? Who is doing it securely?

fooqux 1 hour ago||

The AUR is user supported and thus malware sneaks into packages all the time, although admittedly not to this scale. Still, it's pointedly not secure and has always had "here be dragons" signs plastered all around it.

graemep 1 hour ago|||

Arch is fine if you do not use AUR. If you use AUR check everything.

Most distros are too. All the big distros have pretty good track records.

anon7000 1 hour ago|||

There are definitely LTS distros where the official packages are not updated ASAP. Npm lets package authors publish new versions to all users immediately. Anything that doesn’t allow that is better. Some distros only incorporate patch/security updates for example.

AUR is worse, in that there may not be official authors and you can take over releases of a package. Like, you’ll have random users publishing the release for some application that doesn’t have their own Arch release. And if that user disappears, someone else may take it over

landdate 1 hour ago|||

Running external code will always be a risk. Even if it is not intended to be malicious it could still have issues that compromise security.

Read the source. If you don't have the time then you shouldn't run the software.

tobyhinloopen 1 hour ago|||

Min Release Age of 7-30 days covers the majority of potential issues with 0 effort.

All major Node package managers should support it by now.

Prom was the best IIRC, yarn second, but even npm is catching up

halfcat 1 hour ago|||

> Who is doing package management right these days? Who is doing it securely?

QBASIC. When you need a package you type it in from a magazine. Virtually anything you could ever need is only 1-12 weeks away.

vunderba 47 minutes ago||

QuickBasic, the commercial version of QBASIC, also supported BI files. These could be used to bundle shared code for things like high-precision timers, interrupt usage, etc.

dist-epoch 1 hour ago|||

It's a lost battle.

Everything will need to be run in a VM separated from your main desktop which should have your data and a minimal amount of apps.

Qubes OS was ahead of it's time.

simoncion 22 minutes ago||

> Who is doing package management right these days? Who is doing it securely?

The malware was limited to package sources that I understand to be disabled by default, if you're using Arch Linux. These package sources carry clear warnings that the packages they provide are controlled by third-parties and entirely unvetted by the distro maintainers. [0][1]

If your assertion is that any package management system that permits the installation of packages that aren't vetted by the maintainers of the -er- OS that uses that package management system is "not doing it securely", then the only one that's even vaguely "doing it securely" is Apple's iOS.

I'm of the opinion that permitting users of a general-purpose computer to install arbitrary software is a good thing, and is pretty much the entire point of a general-purpose computer. I'd call computers that make that effectively impossible "appliances". There's very definitely a place for appliances, [2] but seeking to turn every computer into an appliance is massively destructive.

[0] <https://aur.archlinux.org/>

[1] <https://wiki.archlinux.org/title/Arch_User_Repository>

[2] Reliable computers that you never have to think about because they simply never fail to perform the useful tasks they were designed to do are great.

landdate 1 hour ago||

> It was bad enough when finding out more than 400 AUR packages for Arch Linux users had been infected with malware but now that number has risen to around 900 a few hours ago and now in the end at more than 1,500 user-contributed packages.been infected with malware

I never had a need for the AUR.

If I want a package not in the official repository I build it myself or if it has a binary release I will download it. this way i don't have to use root when building and can have program installed locally just for a single user which is how it should be anyway for most desktop use cases.

At least in this way there is one less level of possible malicious code insertion in developer -> user, vs develeper -> maintainer -> user.

NekkoDroid 5 minutes ago||

> this way i don't have to use root when building

`makepkg` will actively refuse to run if you are invoking it as root (unless you specifically invoke it with something like `env EUID=123 makepkg ...`).

> and can have program installed locally just for a single user which is how it should be anyway for most desktop use cases.

I do wish pacman would support a user level installations. It will refuse to install packages as non-root (which you can go around by using user namespaces and mapping yourself to root).

well_ackshually 1 hour ago||

[flagged]

28304283409234 1 hour ago||

Could we be heading towards a world where it's just more secure to write inhouse software again, only now with AI agents? Not closed source per se, but 'own source'?

iknowstuff 1 hour ago||

Seems cheaper (and so far more robust) to have an agent audit downloaded code

jl6 1 hour ago|||

The endgame is to generate a binary image for an entire single-purpose OS/unikernel that does exactly and only what you require of it. No source to open or close.

dontfeedthemac 1 hour ago||

this

robby_w_g 2 hours ago||

I’ve made a point of not installing any AUR packages. It’s really tempting when there’s a package that’s not available via pacman, but at the end of the day I’d rather build from source myself or use a docker image.

anothermoron 59 minutes ago|

[dead]

sunshine-o 1 hour ago||

This is something that worries me with a distribution like Alpine Linux.

It is hard to avoid a package like chromium [0] or firefox which are in the "community" repo. Now have fun check it at every update, this is not practically feasible.

For the web browser one can say we should use Flatpak anyway but there are a lot of other apps like sway from the community repo that cannot be flatpaked.

- [0] https://pkgs.alpinelinux.org/package/edge/community/x86_64/c...

Simulacra 29 minutes ago|

This is my fear with Linux and privacy - malware that leaks private data while using ie Tor, or other "anonymous" programs.

More comments...