On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).
The affected malicious packages are:
- librewolf-fix-bin
- firefox-patch-bin
- zen-browser-patched-bin
The Arch Linux team addressed the issue as soon as they became aware of the situation. As of today, 18th of July, at around 6pm UTC+2, the offending packages have been deleted from the AUR.
We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.
Follow up
There are more packages with this malware found.
minecraft-crackedttf-ms-fonts-allvesktop-bin-patchedttf-all-ms-fonts
What to do
If you installed any of these packages, check your running processes for one named systemd-initd (this is the RAT).
The suspicious packages have a patch from this now-inaccessible Codeberg repo: https://codeberg.org/arch_lover3/browser-patch
The Arch maintainers have been informed of all this already and are investigating.
this is going to increase in frequency as linux gains popularity
I use Debian btw
This is why I felt uncomfortable when I first switched to Linux and kept reading that I didn’t need to worry about viruses as long as I didn’t click on dodgy links and only installed from trusted sources. I’m sure I’m betraying my lack of security knowledge here, but that always seemed a bit too easy.
@DirkMcCallahan @Tundra The AUR isn’t a trusted source, but most of the the Arch cult forget to mention that.
Half the posts on the Internet are people replying to requests for help with the message “read the wiki, the aur isn’t a trusted source, dummy”
Why do we have the AUR anyway?
It’s super useful as long as you understand that it is just a big bucket of scripts that just anybody can push
Because it’s convenient and a good way to start to write PKGBUILDs quickly without becoming a proper package maintainer.
Isn’t that like how alpinelinux’s community repository works too?
The “Arch cult’s” holy book, the ArchWiki, states the following pretty clearly:
Mention of one’s use of the AUR for their needs doesn’t need to come with a disclaimer.
People who don’t read or don’t use their brain are going to keep not doing so, regardless.
Arch is not responsible for idiots.
deleted by creator
At the very least aur must verify you are associated with the domain name of the project, same as flathub.
that would literally defeat the entire purpose of the AUR
flathub still allows unverified submissions which is what I proposed. So, no, it wouldn’t.
AUR is the place for unverified submissions. The verified stuff typically ends up in the main repos.
That’s not at all how it works.
It is. Aur isn’t even officially supported by arch. You use it at your own risk, with the advantage being that pretty much everything is in it.
The AUR, key words “user repository” is a specific weak point. It doesn’t have the same level of oversight that the main arch repo has. Stick to main repos and verified flatpaks and it’s very unlikely that you’d ever be compromised.
Linux isn’t perfect, but it’s certainly better than windows where you just download executables willy nilly to install your software.
BTW python’s package index has roughly the same problem - but a far less technical, experienced and critical user base. NPM has this problem since years.
Expect these problems to rise with every percent more of new Linux users which never learned the difference between opening / viewing untrusted data, and running untrusted code, because Windows basically ignores this essential concept and Android tries to solve that with sandboxing each app.
That is sound advice, the AUR is most definitely not a trusted source though. For the normal arch repos the people who put the stuff there are known, they work for the project, you’re as likely to get malware from one of those as you are to read an article bashing gamespot in gamespot, the people in charge of putting the packages there are the ones with more vested interest in things working so they won’t knowingly introduce malicious code (plus it’s a handful of people who know each other by first name).
The AUR is a different story, because anyone can put stuff there it’s very easy to have malicious code end up there. It doesn’t happen that often because most of the time it’s fairly obvious and it gets flagged straight away, plus if people start doing that people will migrate away from the AUR, so it’s a high risk low reward situation. But as more and more people start to use Arch derivatives that come with the AUR enabled without understanding any of this it becomes a more rewarding thing to exploit.
like git repositories, AUR in its name itself says what it is, a User repository. its trust like repositories is fully based on how much you trust the user who uploaded it
In fact, most PKGBUILDs just clone git repos and build them
Yeah i think the aur is pretty much completely source based, with the exception of bin packages where they pull down a precompiled binary.
Yeah. The I’m A Mac crowd had the same problem… god damn it, two or three decades ago.
As market share increases, platforms become a much bigger target for malware. And a lot of the “I don’t need to run virus scans” crowds learn the hard way.
Its the same with open source. Obviously NOBODY around here would parrot this bullshit, but there is the idea that because something is FOSS it is safe. Code is only as safe as code review and there have been a few high profile cases of social engineering to get malicious code past even fairly rigorous review. Let alone “Well, that script is FOSS so somebody probably reviewed it” that we see so often.
Only for distributions which don’t do reproducible builds and require full and complete corresponding source code under an FSF approved license.
If you choose to download binary blobs, good fucking luck.
As if everyone were to read every single line of source code, though. This just increases the chances of it being discovered.
you don’t need to read every line if you trust your package maintainers
True, but AUR isn’t official but provided by other users
Or if a handful of paranoid people read the code for a distribution and publicly discuss everything that they find (it only would take 12 crazies in the whole world)
True