Electric GremlinJul 18, 2025

Ah cool, Archlinux had another oopsie-whoopsie that was only communicated on the mailing lists.

They found malware on the AUR. Reminder that anyone can put stuff on the AUR and when an AUR client offers to let you inspect the package build scripts, it's because it's no one's job to make sure the package is safe.

"But people tell me to install stuff off the AUR all the time and I'm no dev that can understand these scripts" -- Yup! This is one of Arch's primary problems. It's why they make it non-trivial to bootstrap into getting stuff off AUR to begin with, but that's not enough when 98% of Arch users need something off it.

Weh.

[SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware - Aur-general - lists.archlinux.org

Show threadChamomile 🐑Jul 18, 2025

@trysdyn Is the old PKGBUILD for these available anywhere? I'm curious if it was like, obviously running malware.sh in the build script or if it would have required more careful inspection.

I remember the days when everyone used tools like yaourt that would execute code from the package without even giving you a chance to look over it, so the mindset there has always been... lax.

Show threadElectric Gremlin

@chamomile All I've heard is the PKGBUILD pulled in a patches repo that was clean at upload then altered after the fact to add a RAT installer script. The repo's been destroyed by Github already and the PKGBUILD is gone.

The patches repo used to be here: https://github.com/danikpapas but yeah, it's glass now.

Jul 18, 2025 at 11:54pmWeb