Detun3d
Arch Linux 
Active AUR malicious packages incident
https://archlinux.org/news/active-aur-malicious-packages-incident/
Bill 🎙️🚛 💻✔️@archlinux I can hear all of the talk in my head already. "You see, that's why Arch isn't a safe distro to use."
ᏕᎯᏕᏣᎻᎯ 
Debian-based distributions do have something similar, although it isn’t used as extensively as AUR.
The problem is simply that with user-generated package sources.
This applies not only to distributions, but to entire ecosystems.
Daniel Gibson@sam4000 @wchouser3 @archlinux
No, the problem here is not (only) user-generated packages.
I mean that can be problematic by itself, but this is worse: The specific problem here was that abandoned (orphaned) packages could just be taken over by someone else without any(?) checks.
This means that even if you vetted an AUR package when you first installed it, you can get an infected package from someone else when you update it.
@Doomed_Daniel @wchouser3 @archlinux
Yes, this particular quirk makes AUR genuinely dangerous.
This fundamental trust in the goodness of people stems from a different era of the internet, when everything was still on a smaller scale.
We need to overhaul the security of user-generated content in general.
AND the way we handle abandoned AUR needs to be completely rethought.
@Doomed_Daniel @wchouser3 @archlinux
Abandoned AUR packages should be archived as read-only and should only be taken over by reputable developers or following a manual review.
Richardus@archlinux Thanks for the notice !.
Tired Bunny 
@archlinux
In case someone needs it, some info:
List of known affected packages - https://md.archlinux.org/s/SxbqukK6IA, was linked in gist of script used to check for having those installed (https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14)
As mentioned in the thread by sodiboo (https://gaysex.cloud/notes/andaxow7itfn05x9), specific malware that was detected initially is installed via postinstall scripts, may have persistence via systemd services, and steals your credentials (ssh, cookies, etc.). The way attack was done is not specific to that malware, so some behaviors may have changed when malicious npm package installed by malicious PKGBUILD was taken down and attack switched to another one.
In case someone needs it, some info:
List of known affected packages - https://md.archlinux.org/s/SxbqukK6IA, was linked in gist of script used to check for having those installed (https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14)
As mentioned in the thread by sodiboo (https://gaysex.cloud/notes/andaxow7itfn05x9), specific malware that was detected initially is installed via postinstall scripts, may have persistence via systemd services, and steals your credentials (ssh, cookies, etc.). The way attack was done is not specific to that malware, so some behaviors may have changed when malicious npm package installed by malicious PKGBUILD was taken down and attack switched to another one.
Américo Rocha@archlinux thanks for the update. Being open and forward about is the way to go. Cheers
paelnever@archlinux
I DO NOT use arch btw
I DO NOT use arch btw
gluttoSo, a few questions:
If we have any of these malicious packages installed, what should we do?
Are they patched / downgraded with a quick update?
Do we have to step through a list somewhere and manually remove them?
If so, are there extra steps involved after that?
Thanks.
Thomas Strömberg@archlinux This is probably not the place to offer help - but I haven't figured out how to reach the right people there yet. I believe my OSS project can help with AUR scanning in #archlinux: https://codeberg.org/atomdrift/scan - it'll take some work to drive the false-positives down, but I'm willing to put in the work.
We're already monitoring AUR packages here: https://lab.atomdrift.org/
-- Sincerely, an Arch fan.
Zuru (he/him)@archlinux Thanks for letting us know. It would be good to have a live malicious package list to check on our side if a package was already installed. 👀
Matt Mascarenhas@zuru @archlinux Yeah, in case you're still looking, there's this collection of info here: https://github.com/lenucksi/aur-malware-check
I didn't actually pull all this and run aur_check-v2.sh, myself, but just ran the one-liner `comm` command given in this gist: https://gist.github.com/quantenProjects/3f768dce7331618310f016d975bf8547
That threw up one package for me, gdl, installed last year, built by @heftig so evidently from the days when it was in the main repos and also depended upon by another package.
@miblo @archlinux @heftig Thanks a lot! At the end I checked manually, but that repo looks very useful and I was about to turn on another PC that uses Manjaro, so I'll be checking it. 🙏
@zuru @archlinux @heftig You're welcome! Nice one checking manually.
Yeah, just after replying, I spotted the gist only accounts for that first 480 packages. But we can simply swap out the curl URL for https://raw.githubusercontent.com/lenucksi/aur-malware-check/refs/heads/master/package_list.txt to get the current ~1600 long list.
#
Don T3rr0r 
@archlinux "I use Malware, btw" XD
Audric