Arch User Repository hit by a large-scale malware campaign, with maintainers racing to roll back malicious commits and lock out bad actors.
If you’re an Arch Linux user, today would not be a good day to download and install packages from AUR. In fact, if I were an Arch user, I think I would wait until someone at Arch gives the all clear on the distro’s mailing list — or at least give it a few days, if that doesn’t happen.
Even then, I would “trust, but verify,” which is recommended standard operating procedure when using AUR, where packages are from community committers, making the repository a bit of a wild west town.
By now, you’ve probably figured out, if you didn’t know already, that AUR is a repository for Arch Linux that contains pacman packages contributed by Arch users, and that some obnoxious black hat crackers have seeded it with malware-laced packages. More than 400 compromised packages have been found, and since yesterday maintainers have been working to set things right.
“We’re working hard to reset/delete all malicious commits and ban the accounts,” Arch packager Jonathan Grotelüschen said on an email thread set up to keep users informed. “If you find more malicious packages, please send them as a reply to this email to keep them all in one thread.”
The good news for Arch Linux users is that only the AUR repository is affected. Official Arch Linux packages remain good to go.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment