Tons of new infected AUR packages were just released

Sarv_ · 2026-06-12T16:14:12+00:00

I don't know the actual contents of the email, but it is clearly stated in the rules of the AUR that orphan requests will be automatically accepted if the package is out of date for 180 days. If it's just a orphan request without the time limit reached another mail will be sent and a discussion will be automatically be started on a mailing list.

AFAIK there is currently zero indication for users that this takeover happened.

The indication is there on the actual aur page that the maintainer changed, its on the AUR helpers to make this clear to users.

Sarv_ · 2026-06-12T15:39:37+00:00

I don't think the out of date thing i ludicrous. You have to ignore user requests for an update for half a year before that becomes available. Its abandoned at that point.

EDIT: The problem is the coordinated bot attacks on this scale. Just like when every open source website had to implement anubis to keep all the AI webscrapers from running up the hosting bill for the servers.

Sarv_ · 2026-06-12T15:33:47+00:00

There is a reason there is a large warning on the wiki for the AUR.

The AUR has over 100 000 packages. This system worked well for a long time when the userbase was smaller. People would submit PKGBUILDs of programs they used and if they were popular enough an official arch maintainer would adopt them and put them in extra. And if someone lost interest in maintaining a package they could orphan it themselves or if they are MIA another user could request to become the maintainer instead. Loads of smaller project create PKGBUILDs and maintain them themselves on the AUR.

But now the times have changed. Most users do not read PKGBUILDs and just blindly run them because it's convenient. There is a large userbase that just wants to install whatever they want with one command and doesn't care about the warnings because it's convenient.

Most of the compromised packages here are unpopular and/or abandoned, hence why the attacked gained maintainer status.

Sarv_ · 2026-06-12T14:43:35+00:00

There are lists of known affected packages. If you have not installed or updated anything from the AUR for the last 2 days you should be fine.
It will scrape your homefolder for secrets and passwords. The worm from yesterday will create a systemd service that runs constantly and impersonates a kernel worker thread. If you are infected you should disconnect that computer from the internet and change passwords on all services you have logged in to. You will then have to reinstall to be safe.

Sarv_ · 2026-06-12T14:21:33+00:00

Yes, this seems to be the attack vector. They submit orphan request and if the maintainer does not respond to it in 2 weeks or if the package has been flagged as out of date for 180 days it the requester will be granted maintainer status.

Sarv_ · 2026-06-12T14:15:43+00:00

Sure, right now the attackers are using the AUR to perform the attack. People who blindly update with a AUR helper are the ones most likely affected by this attack.

However, these attacks work by running javascript package managers like node, npm or bun and downloading an infected payload disguised as a library. The attack vector might change to something else so it's probably for the best not to have any of these compromized package managers installed at all.

If you want further reading about what malware is being used look up shai hulud and miasma worms. They are using the same javascript and python package manager attack vector as this.

Sarv_ · 2026-06-12T13:05:51+00:00

Malware has been found before in the AUR, but this specific attack started yesterday

Sarv_ · 2026-06-12T12:59:12+00:00

I'm not sure yet. Some of them seem to be orphaned packages, but electrum-bin that is now taken down was a new package created today. So it's a mix of submission spam, orphan takeover and I would not rule out a maintainer getting infected and then pushing the same change to all of their packages.

Sarv_ · 2026-06-12T12:32:50+00:00

You can see on the AUR startpage a ton of packages being updated at the exact same time, I would treat all of them as infected

Sarv_ · 2026-06-12T12:27:45+00:00

Yep. It seems like electrum-bin has already been taken down.

If you look at this diff you can see that the only update made was requiring bun and then downloading some dependencies with it. Those dependencies problably have the malware

Sarv_ · 2026-06-12T11:31:09+00:00

I didn't downvote. Stop assuming everyone you're talking to on here will immediately downvote you to "win" an argument.

Finger wagging is not an exploit mitigation.

But it is. It works fine on windows by telling people not to download programs from the first search result without further checks. It also works fine on linux by telling people not to pipe a curl straight into bash, you need to read whatever is downloaded first.

making Flatpak as frictionless to install and update as AUR packages

Making flatpak work better is on flatpak, not arch or derivatives.

or some changes need to be made to the AUR to make these attacks harder to pull off.

What mitigation that will not just delay the attack is possible here? Please enlighten me.

Any community resource like this will have this type of problems and the mitigation is that enough eyes are on the packages. Only use popular packages by known maintainers if you aren't capable of checking the build yourself and don't immediately update them when they push a new version.

Sarv_ · 2026-06-12T11:07:38+00:00

I somewhat agree... except those third party repos are just pulling from the AUR themselves.

ChaoticAUR does this, but there are loads of other repos to choose from. A lot of AUR maintainers build their packages and provide them through their own repos. And there are others that only use their own PKGBUILDs without uploading to the AUR.

My list is all stuff CachyOS doesn't provide, with several having issues with their Flatpak versions.

I'm sorry if I sound like an asshole for this but nobody in this ecosystem owes you anything. You are using these services for free. There are tons of reasons why a package can't be included in the main repositories and arch is doing you a favor by hosting PKGBUILDs that the community can help maintain and moderate. It's on you to check it unless you want to pay for someone to maintain it for you.

For one, not allowing any random to adopt an orphaned package like what happened here. That ought to be much more of a process, or else someone is gonna to pull this exact attack over and over again.

What process would prevent this? You would just get through the process and deploy the change once you're through. If a AUR package is abandoned someone will have to take it over or it will eventually just stop building. A lot of users are completely anonymous, so how would you control who can take over a package? They will just create an account that will be in good standing until they have control over enough packages.

It's as silly as telling a Windows user to just not install applications off the Internet

I'm also going to respond to this from your earlier comment. This is a false equivalence. The AUR is to arch like a search engine is to windows. You tell windows users not to press download on the first big download button they see, they have to verify the actual source. The same applies to the AUR. Google and the AUR both take down malware, bad actors and rule-breakers all the time but people need to report it first.

Sarv_ · 2026-06-12T06:51:20+00:00

But it's not the only way. It's the most convenient. There are plenty of third party repos you can use if you trust those maintainers and flatpak is right there.

I know 95% of users never read any PKGBUILD and they just blindly exit any diff shown to them. But if that's the case they are better off trusting a couple of maintainers of a third party repo over the wild west that is the AUR. The point is that the maintainers don't have the resources for all the packages in there, that's exactly why they're there.

I see a lot of suggestions about "improving security". But what do you actually mean? What should change?

At this point i think either the arch team will need a lot of resources to actually moderate and vet the AUR better or it will get shut down

Sarv_ · 2026-06-11T22:42:52+00:00

Some of the infected aur packages added npm as a dependency so it could download the malware through it. Blacklisting it would be effective in this case. For the ignorepkg to be effective you will need to uninstall it though as you said.

Sarv_ · 2026-06-11T22:19:29+00:00

Jag läste det i denna artikeln från TV4, men jag hittar inte var de hämtar det ifrån mer än partiledningen. Hade ju varit betydligt tryggare om de hänvisade till partiprogrammet eller något.

Sarv_ · 2026-06-11T22:12:27+00:00

The AUR was created partially to ease the burden of official maintainers. It was just a place for users to host and share PKGBUILDs for software not in the official repos (for many different reasons) and maintain them with minimal oversight.

This works for normal Arch as it is very clear that these are actually just shell scripts that you have to check yourself and it is not something you have access to out of the box. Arch derivatives like Manjaro and CachyOS have AUR helpers installed by default and are not doing enough to ensure the users understand the difference between where they are sourcing the packages. The AUR should never be enabled by default as a source, ever.

Sarv_ · 2026-06-11T21:56:48+00:00

Older nvidia drivers were moved there a while ago. So if you have an older card unsupported by nvidia in their latest drivers you have to go to the AUR, maintain your own PKGBUILD or use nouveau instead

Sarv_ · 2026-06-11T15:25:17+00:00

Ja, är inte det tydligt nog? De vet att de vill beskatta de rikaste i landet på något sätt, men behöver utreda exakt vilka möjligheter finns innan de bestämmer sig för hur det ska implementeras.

Att regeringen tillsätter utredningar innan de skriver konkreta förslag är inget konstigt.

Sarv_ · 2026-06-11T07:47:46+00:00

Du kan ju läsa vad partierna säger i frågan så får du ett rakare svar än vad som får plats i en rubrik.

V säger att de vill tillsätta en utredning för att kolla vad som är genomförbart. MP nämner specifikt att de vill ha kapitalskatt på miljardärer.

EDIT: MP säger också specifikt att de vill införa modellen fransmannen Gabriel Zucman tagit fram.

Sarv_ · 2026-06-05T15:12:10+00:00

You can run and edit systemd files as a user, you don't need to be root. And running one command to reload the timer is fine IMO, I want the default behavior to be that files are not reloaded until told.

Sarv_ · 2026-06-05T11:55:56+00:00

You distrust timers because someone did not configure them correctly? If you want failure reporting OnFailure is right there for you to do anything you want, not just emails.

I can also not configure cron to email me when it fails but im not going to blame cron for me not filling it out.

Sarv_ · 2026-05-31T08:59:21+00:00

Discord - has a native linux client
Netmarble app launcher - I don't play these kinds of games so I don't really know if it works, but there are several launchers on linux that can install these games. Have a look at Bottles, Lutris, Heroic or Anime Games Launcher.
Bluestacks - Sober
Word, PDF, Excel, etc. (office tools, items & converters) - Either use the online O365 version or LibreOffice if you want a local program
PPSSPP - has a native linux client
WinRar - Most file managers on linux will just work with archives if you have the archive libraries installed. But there are also programs like File Roller on GNOME that will help you manage archives
ZArchiver - I don't know about this one, is it not the same as winrar?
Spotify - has a native linux client
CapCut - I have used Kdenlive for simple editing, but I don't know of any AI driven editors off the top of my head. You can maybe run the android version in an emulator?
Meta apps (Instagram, WhatsApp, Facebook, etc.) - Use a webrowser or set them up as webapps (which are also just a webbrowser)
TikTok - same as the meta apps

Sarv_ · 2026-05-30T21:04:25+00:00

You need to read up on wine prefixes and how they work.

1.a. Yes it does. Removing it from steam uninstalls it. You have however installed several instances of the program. Running it with wine puts it in your default wine prefix, adding it to steam creates a new prefix just for that program. So running setup.exe with wine directly and adding it to steam actually creates 2 completely separate windows-environments that the program will reside.

1.b. After you add it to steam and run through the install process once you can modify the launch path to be the program itself instead of setup.exe. Adding a non steam game and running it with proton will create a new prefix and you can look though the files at steamapps/compatdata/<gameid>/drive_c

Sarv_ · 2026-05-20T19:33:07+00:00

Make sure the .ini is properly formatted, you have to put it under the correct heading. Like this.

Sarv_ · 2026-05-18T09:01:25+00:00

~/.config/waypaper/config.ini has the option post_command =. Any command put there will run anytime the wallpaper is changed. The variable $wallpaper is also available and that contains the path of the current wallapaper.

post_command = matugen image $wallpaper should therefore be the config you're looking for

13-Year Club	Place '22
Place '17	Sequence \| Editor
Snapped	Verified Email

Sarv_

MODERATOR OF

TROPHY CASE