You must log in or # to comment.
For those who only have a few AUR packages installed, if you looked at the list and are still concerned, you can view the changelog at
https://aur.archlinux.org/cgit/aur.git/log/?h=yourpackagenamehere. If it was secretly malicious but got missed, you’d see it there.I use malware, BTW.
I bet it’s NPM
(Checks list)
Yep, it’s NPM
If this was 10 years ago I’d change my profile picture on Facebook to mark myself safe from the AUR malware.
Oofta, like this is so vexing…Shows that Linux is getting a bit too much attention these days. I don’t use the AUR specifically, just Chaotic-AUR and Extra, still ran that Fish script on Garuda Linux in case something snuck into my PC. The PC is clean as a whistle, thankfully. Malicious actors can get fucked for all the grief they cause and ruining of the good times of Linux enjoyers!
So 0.28% of the 140’000 packages?
Seems like not that much.
How many malicious packages are on Googles Play Store?
I agree that that isn’t a lot of packages but it matters more which packages were compromised. Some random package like ten people have installed? Who cares. yay or spotify? We might have some problems.
Edit: after looking at the list some look fairly concerning. I’d definitely be doing a diff on my packages and the list of the compromised packages if i used Arch, btw.
unfortunately for some, it’s 100% of the 400 packages they use
Every time I’ve had an arch distro (not often as I prefer to avoid them) and go to install from the AUR, I get to the point of checking the PKGBUILD and think “oh yeah, forgot about this” and just abort.
