Mastodon Feed
Boosted by brib@bribstodon.xyz ("brib :neofox_floof: :Nonbinary:"):
brib@bribstodon.xyz ("brib :neofox_floof: :Nonbinary:") wrote:
@colinstu @qwertviop Yeah, there's been a fairly serious supply chain attack on the AUR. Unmaintained packages are getting taken over by bots and malicious commits are being pushed to them.
Affected packages will attempt to install the npm package
atomic-lockfilewhich is literal malware (https://socket.dev/npm/package/atomic-lockfile); it runs a postinstall script that runs and persists an infostealer. There are apparently rootkit capabilities too.The maintainers are attempting to restore the packages as fast as they can, and the way they're doing that is by force-pushing clean branches. So the commits get hidden from the source tree (although you can see them if you navigate to the commit hash directly).
~~NPM (helpfully) have not taken down the package despite getting malware reports.~~ EDIT: Looks like they have done that.
In the meantime I highly recommend turning off any auto-update features which use the AUR (which is generally recommended practice anyway). If you have to use the AUR, scan the packagefiles carefully before installing. Look out for anything which suddenly adds npm (EDIT: or bun) as a dependency or tries to install the malicious package