Electric Gremlin

Ah cool, Archlinux had another oopsie-whoopsie that was only communicated on the mailing lists.

They found malware on the AUR. Reminder that anyone can put stuff on the AUR and when an AUR client offers to let you inspect the package build scripts, it's because it's no one's job to make sure the package is safe.

"But people tell me to install stuff off the AUR all the time and I'm no dev that can understand these scripts" -- Yup! This is one of Arch's primary problems. It's why they make it non-trivial to bootstrap into getting stuff off AUR to begin with, but that's not enough when 98% of Arch users need something off it.

Weh.

[SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware - Aur-general - lists.archlinux.org

Jul 18, 2025 at 8:38pmWeb
Show threadVertex 🔞Jul 18, 2025
@trysdyn @eclairwolf encouraging users to use random community maintained packages over ones in robust distribution repositories is a terrible practice
Show threadéclair (dragon arc) Jul 18, 2025
@livingshredder @trysdyn extremely agree. also can not count the number of aur packages that are just fuckin' broken out of the box lmao
Show threadOleksandr Natalenko, MSE Jul 19, 2025

None of this is Arch issue. There's no AUR helper in the repos even, let alone any official encouragement to use it, everything the user is doing is at their own risk.

@eclairwolf @livingshredder @trysdyn

Show threadVertex 🔞Jul 19, 2025
@oleksandr @eclairwolf @trysdyn Yeah, but AUR packages are linked all over the wiki on pretty much every page. I feel like that counts as encouragement
Show thread🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Jul 19, 2025
@trysdyn @oleksandr @eclairwolf @livingshredder honestly needing 3rd party repos for that many stuff might be a sign that the official repos need to get better, and at that point it’s arch’s fault again
Show threadOleksandr Natalenko, MSE Jul 19, 2025

@luana I'm sure Arch devs would appreciate you applying for being a part of their team to maintain packages you like.

@trysdyn @eclairwolf @livingshredder

Show threadéclair (dragon arc) Jul 19, 2025
@oleksandr please do not tag me in your arch linux argument thank u
Show threadOleksandr Natalenko, MSE Jul 19, 2025

@livingshredder wiki is massively contributed to by… users

@eclairwolf @trysdyn

Show threadChamomile 🐑Jul 18, 2025

@trysdyn Is the old PKGBUILD for these available anywhere? I'm curious if it was like, obviously running malware.sh in the build script or if it would have required more careful inspection.

I remember the days when everyone used tools like yaourt that would execute code from the package without even giving you a chance to look over it, so the mindset there has always been... lax.

Show threadElectric GremlinJul 18, 2025

@chamomile All I've heard is the PKGBUILD pulled in a patches repo that was clean at upload then altered after the fact to add a RAT installer script. The repo's been destroyed by Github already and the PKGBUILD is gone.

The patches repo used to be here: https://github.com/danikpapas but yeah, it's glass now.

Show threadZ̈oéJul 19, 2025

@trysdyn I’m surprised this doesn’t happen more often
maybe more malware is better hidden, maybe the oversight kinda works: 2 days between uploading and detection isn’t too long.

they could’ve probably replaced the affected packages with a warning message and/or self removal

Show threadTonton Fred Jul 19, 2025
@trysdyn Phoronix talked about this issue: https://www.phoronix.com/news/Arch-Linux-Malicious-AURs
Arch Linux AUR Packages For Firefox & Other Browsers Removed For Containing Malware

While the Arch Linux AUR repository can be popular for fetching some packages not found in Arch Linux proper, it's important to keep in mind that AUR stands for the Arch User Repository

Show threadatapi ❤️Jul 19, 2025
@trysdyn you raise a good point on how occasionally lacking the Arch repos are for software that people actually do need. The AUR is a godsend for me but I always used it with the citation that if I fuck up my machine it's my fault. The ArchWiki adding links to many AUR packages feels like encouraging users to use them even though out of the box, and AUR helper needs to be manually compiled by the user
Show threadElectric GremlinJul 19, 2025

@sterophonick A lot of people have been asking vee (angrily, sigh) what perfect distro I'd point people to instead that has everything security vetted in main, and that was never the point yeah.

The point is the entire Arch culture is tied up in "Oh just install this from the AUR" because they expect the capability floor to use Arch is high enough that anyone who can get an AUR helper up can read PKGBUILDs, and then they do (somewhat accidental) gatekeeping that enforces that.

But even people who know better are kind of jaded on the process at this point. My only point was to remind people you need to stay aware. The thing that happened here was basically typosquatting; checking if the package you're grabbing is the one with a million installs or 10 woulda helped just as much as inspecting the PKGBUILD.

"Be careful, and if you can't read PKGBUILDs and understand them, yeah I know, that's a cultural problem"; that's it. Yeah.