Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

  • Mactan@lemmy.ml
    16·
    4 hours ago

    To potentially prevent this entire class of npm attacks in the future, you could edit /etc/pacman.conf, uncomment

    # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg   =

    And set it to IgnorePkg = npm

    Your system should prompt you to accept installing npm because it’s in the ignore list. These packages set it as a dependency, so that gives you a chance to notice that something’s off and refuse the install. This assumes you don’t already have npm installed or need it for some reason.

    https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

    edit: word is that bun command is being abused as well and may be worthwhile including in the space separated list:

    IgnorePkg = npm bun

    • eldavi@lemmy.mlEnglish
      2·
      4 hours ago

      it’s the way it’s been setup; it needs a thorough revamping to make it as resilient as other supply chains.

      not that other chains are bullet proof, it’s just that npm people need to up their game to be atleast as good as the others.

    • Luckyfriend222@lemmy.worldEnglish
      5·
      6 hours ago

      I too use CachyOS. But i am very new to it. Why are we more ‘protected’ than straight up Arch users? I like Cachy, but have a gripe with how some applications behave, especially Java based Apps, that have a native installer in AUR (not building from source). I have one application that is built in JAVA, and the text is so freaking small, all the pop-up windows open on the wrong place which makes the pointer inaccurate etc. But I digress. The question was more why should we feel more relaxed than the Arch guys and gals?

      • SolarPunker@slrpnk.net
        1·
        1 hour ago

        It’s like having a “double check” from a trusted source, they compile selected stuff from the aur so I suppose it’s a little more safe for the random user.

      • gegil@sopuli.xyz
        1·
        5 hours ago

        This is propably because app does not support fractional scaling. Some apps that does not support fractional scaling will either not be scaled (rendered at native display resolution), or scaled by system (will look blurry because window resolution does not match display resolution).

        • Luckyfriend222@lemmy.world
          1·
          4 hours ago

          That makes sense. What is weird though is the dev wrote the app for multiple platforms, including Debian, RPM-based and a few others. So it not like it is one of those ‘compile only from source and good luck to yah’ kinda apps.

          But thank you for the response. I do appreciate you taking the time!

  • placebo@lemmy.zipEnglish
    15·
    9 hours ago

    attempt to download npm-based payloads during installation

    Why npm and not python? It’s installed on every arch system and wouldn’t bring unnecessary attention 🤷

    • lemmyvore@feddit.nlEnglish
      171·
      8 hours ago

      Because the NPM is a complete mess and it’s super easy to exploit for supply-chain attacks by sneaking malware into one of the billion dependencies required by most popular packages.

      • placebo@lemmy.zipEnglish
        5·
        8 hours ago

        But if you look at some of the packages, they explicitly added npm as a new dependency. It’d be much easier to sneak in a python script.

        • lemmyvore@feddit.nlEnglish
          101·
          7 hours ago

          AUR “packages” are just a recipe file that runs some commands that sources packages from somewhere else and builds them then puts them in the format required by the AUR package manager.

          Normally it’s a source tarball downloaded directly from the project’s Git repo. But it can also fetch and install a binary package (for closed source software). Or it can install Node modules, or Python modules etc.

          Point is, you can’t inject a script directly in AUR itself. You could add the malicious code directly to the recipe file but it would be obvious. You could also download a zip with the malware directly, but it would also be obvious.

          So what they do is add the malware to modules published on another platform, and they’re downloaded indirectly, as a dependency of the Nth grade.

          It’s very hard to detect, you can’t really notice this kind of attack with a glance at the recipe.

      • CommanderCloon@lemmy.ml
        11·
        7 hours ago

        But why would they care about supply chain attacks if they already have hacked into the package you’re requesting? In that case, executing python scripts would be less noticeable

        • lemmyvore@feddit.nlEnglish
          32·
          6 hours ago

          Here’s the AUR recipe (PKGBUILD file) for a random package:

          https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nautilus-git

          This is a standard format for the recipe. It’s Bash code used to define variables and functions.

          You’ll notice there’s no place to sneak in a Python script. There is some brief Bash code in the functions but any major stuff would stand out immediately. So would an command that fetches a malware zip from a weird URL.

          Meanwhile, if you add node or python to the dependencies, and then run a command that installs a perfectly legit npm or pip module, nobody would bat an eye. It’s impossible to figure out that among the many upstream dependencies of that module there might be one that was subverted to discreetly run malware.

          AUR is a very bad idea tbh and should not be used by the faint of heart. It makes it entirely too easy to pull this kind of crap.

          • lofi@piefed.socialEnglish
            1·
            2 hours ago

            AUR itself is fine, the issue in this case is more with the automated system allowing anyone to take over orphaned/abandoned packages. This is a targeted attack leveraging that system.

    • ghost_laptop@lemmy.ml
      3·
      7 hours ago

      this is like the 4th npm vulnerability in months, they used that because npm is shit and easy to exploit

  • sanpo@sopuli.xyz
    14·
    9 hours ago

    What a terrible article.

    “Multiple” packages mentioned in the title, but they’re unable to actually name more than one in the article…

    //edit
    Actually, they did leave a link to the mailing list thread at the very end.
    I should learn to read the entire article…

    • Bananskal@nord.pubEnglish
      1·
      7 hours ago

      I was wondering why you felt that way 😅 Usually this source produces good content lol

  • MonkderVierte@lemmy.zip
    31·
    9 hours ago

    … how do i make npm generally not work on Linux? I don’t use it and with how attack vectors are the majority of cases via NPM… and can be shipped as a binary to <arbitrary temp location>.
    Environment variables pointing to /dev/null? Application firewall? Or would just blocking some domain/IP suffice?

    • Destide@feddit.ukEnglish
      5·
      8 hours ago

      sudo {package-manager} remove npm nodejs sudo {package-manager} purge npm nodejs

      npm: sudo tee /usr/local/bin/npm >/dev/null <<‘EOF’ #!/bin/sh echo “npm is blocked on this system.” exit 1 EOF

      sudo chmod 755 /usr/local/bin/npm

      npx: sudo tee /usr/local/bin/npx >/dev/null <<‘EOF’ #!/bin/sh echo “npx is blocked on this system.” exit 1 EOF

      sudo chmod 755 /usr/local/bin/npx

      Might break somethings but that’s a part of boycotting something I guess.

  • vapeloki@lemmy.world
    310·
    7 hours ago

    Maybe, just maybe, and nearly unmoderated repository where everybody can create packages, is not so secure after all? /s

    And AUR is the reason I keep arch miles away from any of my systems.

    • Hemingways_Shotgun@lemmy.caEnglish
      4·
      5 hours ago

      Nobody ever says the AUR is safe. In fact they say specifically that it’s not; for exactly the reasons you mention.

      That’s why it’s the Arch USER Repository. You take your fate in your own hands when you choose to use it.

      As for your comment about using a distro that has everything in the main repo? How so? Every flavour has software that isn’t included in the main repos. For Arch based systems, that means either the AUR or Flatpaks. For Debian based systems, that means adding new repos to your sources, which is exactly as unsafe as the AUR in most cases, or using Flatpaks.

      If you’ve ever added a repo on Ubuntu, than you’ve essentially used their version of an AUR. The end result is no different.

    • Strit@lemmy.linuxuserspace.show
      14·
      7 hours ago

      You do have the choice to simply not use the AUR. Has nothing to do with using Arch or not.

      And no one has ever claimed the AUR to be safe.

      • vapeloki@lemmy.world
        11·
        5 hours ago

        True, I also have a choice to use a distro that delivers the software I need in the main repo.

    • Hemingways_Shotgun@lemmy.caEnglish
      1·
      4 hours ago

      Technically there is no such thing as a “completely secure system”

      What Linux offers is the fact that by nature of being FOSS, there are millions of eyes on source code at any one time, and so potential exploits can usually be spotted and mitigated faster than waiting for the software maker to fix their own shit. And the fact that, in most cases with Windows, the call is coming from inside the house, so-to-speak; It’s the operating system itself that is malicious and anti-user.

      To put it simply: Yes…linux can be attacked just like windows. But we live in an open-concept house with no hidden corners, and we’ve got a pretty great neighbourhood watch thing going on. Versus Windows users who live a house filled with cameras and alarms, surrounded by a giant wall that they can’t see over, and they have to rely on the security company to do anything about the burglar trying to get in.

      I’ll take my chances with the community approach every time.

    • juipeltje@lemmy.world
      14·
      9 hours ago

      You run the same risks downloading torrents of games or porn on whatever OS you use. This isn’t really linux related, it’s related to downloading unverified files uploaded by random people online, which is what the aur basically is.

      • Strit@lemmy.linuxuserspace.show
        9·
        8 hours ago

        Which is why users are recommended to audit the PKGBUILD and related files before building and installing the packages. In the end, what happens during the installation of AUR packages are the users responsibility.

    • ghost_laptop@lemmy.ml
      4·
      7 hours ago

      this affects only a fraction of arch users, and it would be impossible for it to work on nix systems for example, on top of that, this is basically npm’s fault

    • scintilla@piefed.zipEnglish
      8·
      8 hours ago

      This is the same as an EXE having an issue and then blaming Microsoft. At least on Linux you have the option to not install from a 3rd party.

      • subOrange@lemmy.world
        14·
        6 hours ago

        Well, but people do blame Windows!

        And there you also have the choice not to install from any source, just the Microsoft Store.