this post was submitted on 12 Jun 2026
428 points (100.0% liked)

Technology

85463 readers
3926 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
428
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers (cybersecuritynews.com)
submitted 3 days ago by rafssunny@lemmy.zip to c/technology@lemmy.world
130 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] RedditRefugee69420@lemmy.world 2 points 1 day ago* (last edited 1 day ago) (1 children)

Tons of clawing at each other's throats in the comments here, largely declaring one another retarded for their use or misuse of AUR or thanking their lucky stars that none of their packages are on the list (so far), but not much that's helpful for those less fortunate. Maybe nobody's saying anything to that end because the article already covered it, but this is the second out of two times I've visited cybersecuritynews.com and been stuck in an "Are you a bot?" loop that never ends no matter how much of my browser's safeguards I peel off.

Here's what steps I did so far, based on following the links I found in this thread (especially the GitHub comments under one of the links):

  1. pacman -Qm in console yielded a list of all the AUR packages that are installed on the system

  2. CTRL+F the results one-by-one in the apparent most up-to-date list: https://md.archlinux.org/s/SxbqukK6IA

  3. I have one on that list, specifically wine-nine, so I ran bat --style header,snip,changes /var/log/pacman.log | grep wine-nine which yielded the following (at the bottom of a very long list of apparent updates I've run since installing the OS):

[2026-06-05T20:37:06-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-07T21:50:58-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-08T20:56:54-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-09T21:38:44-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-10T21:58:52-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

(Like a good little Arch user I've been updating pretty frequently)

  1. Now what?

I saw something that said "check for suspicious processes running as root" but I have no idea what that would look like.

I saw something that said I need to redo all of my passwords and tokens. Any way to check if that's necessary or should I just assume I've been pwn3d?

In using pacseek I think I've discovered wine-nine hasn't been modified in the AUR since "2024-12-07 - 15:18:31 (UTC)" so can I relax a bit? I'm currently going through my list of AUR packages and deciding whether or not I need them as badly as I originally thought. Sadly my distro is one of those that decided to lean on AUR, because most of my list (apart from two) I don't recognize as something I've installed myself.

pacseek would not let me remove the following AUR packages (which thankfully are not in the list (yet)):

:: removing electron41-bin breaks dependency 'electron41' required by deltachat-desktop - an encrypted chat application I installed (not via AUR) I suppose I could find an alternative for

:: removing electron41-bin breaks dependency 'electron41' required by freetube - a YouTube frontend I installed (not via AUR) I suppose I could find an alternative for

:: removing libsoup breaks dependency 'libsoup' required by webkit2gtk - no idea what webkit2gtk is

I only just now realized that chaotic-aur is probably just as problematic as AUR, both in my decision to use packages at all as well as my searching the list of compromise packages, yes? I have tons more packages under that, most of which I think came with the OS.

[–] Crozekiel@piefed.zip 1 points 10 hours ago

Chaotic is not just as problematic, thankfully. They have systems in place to flag suspicious changes for human review before letting them out and it has, so far, prevented them from shipping any compromised updates.

I thankfully hadn't updated anything from the AUR for a couple of months (it doesn't happen by default when I update the rest of my system) and was unaffected, and after looking at the list of things I had from the AUR, I didn't need any of them... So I now have zero AUR packages on either of my systems.

[–] misterrabbit@lemmy.world 40 points 3 days ago (3 children)

Been saying for years that people need to stop treating the AUR like a repo, when it's more akin to curl installscript.sh | bash.

[–] HaraldvonBlauzahn@feddit.org 10 points 2 days ago* (last edited 2 days ago) (1 children)

So, better to use a safe language, and use

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh
  • right??

(I copied that from https://rust-lang.org/tools/install/ just a second ago....)

load more comments (1 replies)
[–] goatinspace@feddit.org 13 points 3 days ago

Some packages pull files from personal dropbox...

[–] Cethin@lemmy.zip 5 points 2 days ago (1 children)

But it is a repo. It's just an unofficial one. I don't know how you use it without understanding this. It's not far from perfect, but it is useful.

[–] gergolippai@lemmy.world 7 points 2 days ago

the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably "trust" it (especially when it's listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.

[–] KssioAug@lemmy.dbzer0.com 8 points 2 days ago (1 children)

I was starting to get too confident in AUR. Thankfully I wasn't affected. Just replaced all possible AUR packages to their respective Arch and Flatpak alternatives, with exception of very few or from the ones I had no option. But will definitely check before updating them, and will only install AUR packages as a last resort.

[–] HaraldvonBlauzahn@feddit.org 3 points 2 days ago* (last edited 2 days ago) (1 children)

Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects. npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.

[–] Jason2357@lemmy.ca 1 points 1 day ago (1 children)

Thats like nix packager, right? Looks interesting to layer on top. Says they are all reproducible builds which is nice.

[–] HaraldvonBlauzahn@feddit.org 3 points 1 day ago* (last edited 21 hours ago)

Yes, Guix is initially a clone of Nix and has still remains of shared code (the build daemon).

Differences:

  • Guix packages are defined in a Scheme dialect called Guile, a nice minimal functional language
  • Guix was created as a GNU project and stresses the importance of free software with strong copyleft
  • strong focus on long-term reproducibility and capability of tracking the sources
  • everything is built from source
  • very good and well organized documentation
[–] Lord743@lemmy.world 12 points 2 days ago* (last edited 2 days ago)

1500+ now https://md.archlinux.org/s/SxbqukK6IA

[–] Tetsuo@jlai.lu 84 points 3 days ago (1 children)

I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.

I'm hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.

I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it's safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that's at least a positive.

[–] yesman@lemmy.world 81 points 3 days ago* (last edited 3 days ago) (9 children)

The article has instructions to do exactly that.

Users who regularly install AUR packages should take the following steps immediately:

Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages

Audit recent PKGBUILD history for any packages installed between June 10–12, 2026

Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed

Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit

Consider using AUR helpers with PKGBUILD review prompts enabled by default.

The Checklist of infected packages

[–] Tetsuo@jlai.lu 28 points 3 days ago* (last edited 2 days ago) (19 children)

Ok, but I was expecting something a bit more automated then opening a list of package in kate and comparing it to my list of installed AUR package... Plus it's 400 package so that's a lot of things to check and plenty of space to miss one package by manually checking.

But I get it I'm lazy and just need to script something myself. This is affecting so many people I thought we would have a script to check quickly if you are "infected".

Edit : thanks for the numerous script sent as reply ! But I'm all set now, thanks !

[–] bigbangdangler@reddthat.com 34 points 3 days ago (3 children)

It took Arch ~19 years just to get archinstall.

Something tells me there won't be a script.

[–] daggermoon@piefed.world 13 points 3 days ago

The link is a script

load more comments (2 replies)
[–] CaptDust@sh.itjust.works 23 points 3 days ago* (last edited 3 days ago)

CachyOS community seems to have a detection script, I have not vetted this run at your own discretion.

https://discuss.cachyos.org/t/aur-compromised-400-packages-affected-20260611/31040

[–] wonderingwanderer@sopuli.xyz 5 points 2 days ago

It's at the bottom of the doc:

echo "Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)..."
echo

found=()
for pkg in "${INFECTED_PKGS[@]}"; do
    if pacman -Qi "$pkg" &>/dev/null; then
        found+=("$pkg")
    fi
done

if [[ ${#found[@]} -eq 0 ]]; then
    echo "Clean: none of the known infected packages are installed."
else
    echo "WARNING: ${#found[@]} infected package(s) found:"
    for pkg in "${found[@]}"; do
        echo "  - $pkg"
    done
fi

Not sure why it uses -Qi instead of -Qm since there's no point in scanning pacman packages, but I'm no expert

load more comments (16 replies)
load more comments (8 replies)
[–] Cease@mander.xyz 14 points 2 days ago (3 children)

I think a lot of people are confusing what the AUR actually IS. It is NOT the official package repository used by Archlinux - it's more like a bunch of community install scripts for stuff that isn't officially supported yet - for popularity or other reasons.

So for all those people complaining and saying "debian does it better" it's very likely that you would not even HAVE a package to install and would have to come up with a build script on your own - the AUR allows you to skip this and instead just verify that the script itself isn't malicious, which is usually fairly obvious.

A lot of people here seem to be under the impression that all of this effort should be abstracted for them - but that's what you chose when you left windows - a system that you control intimately with a necessitation to actually do some upkeep yourself because a giant company isn't doing it for you.

In other words. RTFM and stop expecting other people fix all your problems for you, because that's exactly how windows got to how it currently is.

[–] ExLisper@lemmy.curiana.net 6 points 2 days ago (2 children)

it’s more like a bunch of community install scripts for stuff that isn’t officially supported yet - for popularity or other reasons.

I'm looking at the list of affected packages and many of them are in official debian repos. Isn't the issue then that the official Arch repositories don't have many packages and people have to use less secure sources? That still sounds like an Arch issue to me.

load more comments (2 replies)
[–] Jjakef96@lemmy.world 2 points 2 days ago (2 children)

I haven't been on my PC that much this week, just Friday night. And our D&D group uses Discord so I needed to make sure it was up to date to ensure it would run. I typically just do a, "sudo pacman -Syu" and that seems to update what I need.

If that is the only thing I did with the PC during this window, is there any concern?

[–] flop_leash_973@lemmy.world 3 points 2 days ago* (last edited 2 days ago)

Probably not. The article says that most of it seems to have come from orphaned stuff in the AUR that the threat actors took ownership of via the legit process, then modified to pull down malicious NPM packages when someone went to install them.

So if your Discord package is well maintained you probably have nothing to worry about.

[–] Lord743@lemmy.world 2 points 2 days ago* (last edited 2 days ago)

Nah, you're fine the Discord package(https://archlinux.org/packages/extra/x86_64/discord/) is in the official repo and it was not affected at all. The only people who should worry are those using AUR helpers to install packages without checking the PKGBUILD

load more comments (1 replies)
[–] snugglesthefalse@sh.itjust.works 1 points 1 day ago

Yeah I had a mild panic before realising that I haven't actually used aur for anything yet

[–] xthexder@l.sw0.com 6 points 2 days ago (1 children)

Not even having npm installed as a system package feels like a personal win right now. I'd like to think I would have caught this due to the number of dependencies it would introduce to my system. node_modules seems like it's been the source of most of the recent CVEs I'm hearing about.

load more comments (1 replies)
[–] lazylemons@lemmy.today 20 points 3 days ago (4 children)

I have always been nervous about this type of thing happening with the AUR. Thankfully many packages I used to need the AUR for have since added native versions or made flatpaks. I hope AUR users don't have too many issues from this!

load more comments (4 replies)
[–] mathers@l.mathers.fr 4 points 2 days ago
load more comments
view more: next ›