Thankfully I’m clear, but I am guilty of haphazardly installing junk from the AUR, I should clean that up and uninstall everything but the stuff I really use.
yeah when I was using Arch I was also an AUR junky. if this was happening back then I know I would have 100% been screwed.
Currently you can use https://github.com/lenucksi/aur-malware-check to do a check if you’re infected. My main server was safe, still haven’t tested on my wayland machine though, I went yolo with that one. No important keys at least are there.
I don’t use arch, btw.
This must be fake news because several hundred people told me there is no malware on Linux.
how did this happen? the linked thread show people identifying the infected packages and cleaning them up but no word about how it happened or how to prevent it.
I think it was essentially orphaned stuff that got “picked up” by a “new maintainer” and that’s how it happened.
oh I saw “clang” in the list of packages and got worried
You’re only affected if you use the AUR. As far as I understand it, the core packages themselves are fine, so this is more of a MitM attack, where somebody compromised the package download streams
This is not a MitM attack.
How is it not? They didn’t take over the core projects, they took over the midstream distribution.
A MitM attack defines the attack technique, not the target. It’s when the target wants to connect to something but it connects through you first, and you forward while collecting/altering data. My question was about the attack used. But yeah, a mass takeover of everything orphaned would do it.
These guys are slacking! Didn’t they read the RFC for this?
https://www.rfc-editor.org/info/rfc3514/ https://en.m.wikipedia.org/wiki/Evil_bit
Amateurs!
Definitely a few unfortunate victims to stuff like
libyamiif using some sort of shell autocomplete. Few others would likely catch younger people, eg the implied apk side channel deployment packages.does a linux mint-using idiot need to worry about this, hypothetically speaking?
This pertains to Arch’s AUR (Arch User Repository). On Mint, nothing you do will interact with the AUR, so you’re perfectly fine.
thank you!
Generally not. The AUR stands for Archlinux User Repository. It’s their repo. Unless added as a source manually, you will never see a package from it.
thank you!
I wonder if a SteamDeck could somehow get infected this way…
That would surely be a rather unlikely scenario but it’s interesting.
Highly likely, actually. SteamOS is Arch-based, and if a user installs things through the AUR on their deck (like a password manager or a VPN that isn’t part of the official upstream repo), then it would be infected exactly the same as any other Arch-derived OS.
O deer
