I did and it returned two hits for clang19 and compiler-rt19. They were on my PC for about a month from March to April. I’m not gonna lie, I don’t even know what those are, probably a dependency for something.
Fortunately they installed from the official repos according to my log. So I think I’m ok
(And obviously don’t trust me either, check the .sh with your eyeballs too).
Amongst other things, it checks the history of your installs/uninstalls, so takes the date into account. Hence I had installed graalvm, but fortunately it was never updated in the compromised window.
Yeah I’ve ran a few, including that one. Also manually checked all my AUR packages against the list and there are a few that are close, but not explicitly called out. Like filebot47 is an orphaned package and was called out as malicious, but I have regular filebot which is (I hope) ok. It seems the attackers were taking over orphaned packages and claiming themselves as a maintainer, which they were automatically granted after 2 weeks. I understand the idea of being able to contribute and work together in the Linux development world but this can be a recipe for disaster if left unchecked. It sucks people will take opportunities like this to inflict some real harm.
The only AUR packages I have are some of the more popular ones, and it’s only because that’s the only place I saw them available. I might look and see what I can install via flatpak if not in the official repos from now on.
It seems the attackers were taking over orphaned packages and claiming themselves as a maintainer, which they were automatically granted after 2 weeks.
Oh yeah. That’s not going to work anymore.
I think it’s just the cycle of enshittification from grifters. Once exploiting an ecosystem is “en vogue” in those malicious actor circles, users kinda just have to lock it down and/or migrate to another, as this is going to keep happening now.
Hence the AUR is not going to run on “reasonable goodwill” anymore. It can’t. That period is over.
I dunno what that means for Arch… maybe better flatpak integration? Or more app packaging in trusted upstream projects (like CachyOS in my case).
I’ve been doing a lot of reading online tonight about this whole ordeal. Someone mentioned CachyOS “makes it easy to install apps” or something in that vein as in it utilizes one click solutions for installing, so to speak. If these point to the AUR without checks and balances then yeah I could see that being quite a disaster.
I’m not sure I follow what you mean about better flatpak integration. Arch and flatpak play pretty nicely together as it is. It’s just my experience that a lot of the more random and niche software I want is only available via the AUR and not flatpak.
Ultimately though, the AUR is the arch user repository. As in, it’s maintained and contributed to by users, not the Arch Linux team that develops the distro. They provide plenty of warnings about using it at your own risk, and while it’s certainly a big part of the appeal for the distro, it’s no surprise that something that’s basically the wild West will get a little unruly at times.
All that a flatpak is is a distro-agnostic release of a package. They contain all the binaries and libraries to run on any distro. They’re also sandboxed from the rest of your OS unless you give them permission to interact with it. Being that they contain everything for all of Linux means slightly larger file size, but that’s not so much of a problem as it was in the old days.
I install flatpaks via terminal, same as I do for official repos stuff and the AUR. I was never a fan of GUIs for really anything on Linux other than my file browser, but especially not for updating or installing packages. There’s too many prompts and dependencies.
I like using my optimized system packages. I like how they’re all built against each other, especially for some things where performance depends on certain libs.
But, probably more importantly, my OS partition gets pretty tight, and I want to reduce duplicated libs where possible. I could probably do something about that (like put Flatpak on a separate drive), but I guess I also have a bad experience with docker taking tens or even hundreds of gigabytes and tons of RAM for simple projects.
EDIT: …I didn’t meant to go on an anti flatpak rant. I’ve used it on other systems. TBH I might try it soon, but most everything I need is in my distro repo anyway. Or something I install/build manually.
I did two nights ago, but it doesn’t mean you got infected, necessarily. Packages got compromised at different times, so check your update history.
I did and it returned two hits for clang19 and compiler-rt19. They were on my PC for about a month from March to April. I’m not gonna lie, I don’t even know what those are, probably a dependency for something.
Fortunately they installed from the official repos according to my log. So I think I’m ok
Check this to be (more) sure:
https://github.com/lenucksi/aur-malware-check
(And obviously don’t trust me either, check the .sh with your eyeballs too).
Amongst other things, it checks the history of your installs/uninstalls, so takes the date into account. Hence I had installed graalvm, but fortunately it was never updated in the compromised window.
Yeah I’ve ran a few, including that one. Also manually checked all my AUR packages against the list and there are a few that are close, but not explicitly called out. Like filebot47 is an orphaned package and was called out as malicious, but I have regular filebot which is (I hope) ok. It seems the attackers were taking over orphaned packages and claiming themselves as a maintainer, which they were automatically granted after 2 weeks. I understand the idea of being able to contribute and work together in the Linux development world but this can be a recipe for disaster if left unchecked. It sucks people will take opportunities like this to inflict some real harm.
The only AUR packages I have are some of the more popular ones, and it’s only because that’s the only place I saw them available. I might look and see what I can install via flatpak if not in the official repos from now on.
Oh yeah. That’s not going to work anymore.
I think it’s just the cycle of enshittification from grifters. Once exploiting an ecosystem is “en vogue” in those malicious actor circles, users kinda just have to lock it down and/or migrate to another, as this is going to keep happening now.
Hence the AUR is not going to run on “reasonable goodwill” anymore. It can’t. That period is over.
I dunno what that means for Arch… maybe better flatpak integration? Or more app packaging in trusted upstream projects (like CachyOS in my case).
I’ve been doing a lot of reading online tonight about this whole ordeal. Someone mentioned CachyOS “makes it easy to install apps” or something in that vein as in it utilizes one click solutions for installing, so to speak. If these point to the AUR without checks and balances then yeah I could see that being quite a disaster.
I’m not sure I follow what you mean about better flatpak integration. Arch and flatpak play pretty nicely together as it is. It’s just my experience that a lot of the more random and niche software I want is only available via the AUR and not flatpak.
Ultimately though, the AUR is the arch user repository. As in, it’s maintained and contributed to by users, not the Arch Linux team that develops the distro. They provide plenty of warnings about using it at your own risk, and while it’s certainly a big part of the appeal for the distro, it’s no surprise that something that’s basically the wild West will get a little unruly at times.
I am away from my CachyOS desktop for tonight, but I’ve never seen an “AUR GUI” like Manjaro was notorious for pushing.
They do build some AUR packages themselves and put them on the official repository. One of them is Paru, yeah, but it’s not a default.
But I think the “installing apps” thing is Flatpak. I don’t use any flatpaks at the moment, so don’t quote me on that until I check later.
All that a flatpak is is a distro-agnostic release of a package. They contain all the binaries and libraries to run on any distro. They’re also sandboxed from the rest of your OS unless you give them permission to interact with it. Being that they contain everything for all of Linux means slightly larger file size, but that’s not so much of a problem as it was in the old days.
I install flatpaks via terminal, same as I do for official repos stuff and the AUR. I was never a fan of GUIs for really anything on Linux other than my file browser, but especially not for updating or installing packages. There’s too many prompts and dependencies.
The separate libs is indeed my concern.
I like using my optimized system packages. I like how they’re all built against each other, especially for some things where performance depends on certain libs.
But, probably more importantly, my OS partition gets pretty tight, and I want to reduce duplicated libs where possible. I could probably do something about that (like put Flatpak on a separate drive), but I guess I also have a bad experience with docker taking tens or even hundreds of gigabytes and tons of RAM for simple projects.
EDIT: …I didn’t meant to go on an anti flatpak rant. I’ve used it on other systems. TBH I might try it soon, but most everything I need is in my distro repo anyway. Or something I install/build manually.