Linux@lemmy.mlbyVittelius@feddit.org
12 hours

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages

linuxiac.com

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

46
    Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.
    • mecen@lemmy.ca
      51 seconds

      To be fair basic checks should be done not just make account and in next 10 seconds accept abandoned package and publish malware

    • Mactan@lemmy.ml
      6 hours

      To potentially prevent this entire class of npm attacks in the future, you could edit /etc/pacman.conf, uncomment

      # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg   =

      And set it to IgnorePkg = npm

      Your system should prompt you to accept installing npm because it’s in the ignore list. These packages set it as a dependency, so that gives you a chance to notice that something’s off and refuse the install. This assumes you don’t already have npm installed or need it for some reason.

      https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

      edit: word is that bun command is being abused as well and may be worthwhile including in the space separated list:

      IgnorePkg = npm bun

    • IEatDaFeesh@lemmy.world
      9 hours

      I feel like this always happens to npm specifically. They’re definitely doing something wrong 💀

      • eldavi@lemmy.mlEnglish
        5 hours

        it’s the way it’s been setup; it needs a thorough revamping to make it as resilient as other supply chains.

        not that other chains are bullet proof, it’s just that npm people need to up their game to be atleast as good as the others.

    • SolarPunker@slrpnk.net
      8 hours

      That’s another reason I like cachyos: they have a curated list of aur pkgs in their repo.

      • Luckyfriend222@lemmy.worldEnglish
        7 hours

        I too use CachyOS. But i am very new to it. Why are we more ‘protected’ than straight up Arch users? I like Cachy, but have a gripe with how some applications behave, especially Java based Apps, that have a native installer in AUR (not building from source). I have one application that is built in JAVA, and the text is so freaking small, all the pop-up windows open on the wrong place which makes the pointer inaccurate etc. But I digress. The question was more why should we feel more relaxed than the Arch guys and gals?

        • SolarPunker@slrpnk.net
          2 hours

          It’s like having a “double check” from a trusted source, they compile selected stuff from the aur so I suppose it’s a little more safe for the random user.

        • gegil@sopuli.xyz
          6 hours

          This is propably because app does not support fractional scaling. Some apps that does not support fractional scaling will either not be scaled (rendered at native display resolution), or scaled by system (will look blurry because window resolution does not match display resolution).

          • Luckyfriend222@lemmy.world
            5 hours

            That makes sense. What is weird though is the dev wrote the app for multiple platforms, including Debian, RPM-based and a few others. So it not like it is one of those ‘compile only from source and good luck to yah’ kinda apps.

            But thank you for the response. I do appreciate you taking the time!

    • placebo@lemmy.zipEnglish
      10 hours

      attempt to download npm-based payloads during installation

      Why npm and not python? It’s installed on every arch system and wouldn’t bring unnecessary attention 🤷

      • lemmyvore@feddit.nlEnglish
        9 hours

        Because the NPM is a complete mess and it’s super easy to exploit for supply-chain attacks by sneaking malware into one of the billion dependencies required by most popular packages.

        • placebo@lemmy.zipEnglish
          9 hours

          But if you look at some of the packages, they explicitly added npm as a new dependency. It’d be much easier to sneak in a python script.

          • lemmyvore@feddit.nlEnglish
            9 hours

            AUR “packages” are just a recipe file that runs some commands that sources packages from somewhere else and builds them then puts them in the format required by the AUR package manager.

            Normally it’s a source tarball downloaded directly from the project’s Git repo. But it can also fetch and install a binary package (for closed source software). Or it can install Node modules, or Python modules etc.

            Point is, you can’t inject a script directly in AUR itself. You could add the malicious code directly to the recipe file but it would be obvious. You could also download a zip with the malware directly, but it would also be obvious.

            So what they do is add the malware to modules published on another platform, and they’re downloaded indirectly, as a dependency of the Nth grade.

            It’s very hard to detect, you can’t really notice this kind of attack with a glance at the recipe.

        • CommanderCloon@lemmy.ml
          8 hours

          But why would they care about supply chain attacks if they already have hacked into the package you’re requesting? In that case, executing python scripts would be less noticeable

          • lemmyvore@feddit.nlEnglish
            7 hours

            Here’s the AUR recipe (PKGBUILD file) for a random package:

            https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nautilus-git

            This is a standard format for the recipe. It’s Bash code used to define variables and functions.

            You’ll notice there’s no place to sneak in a Python script. There is some brief Bash code in the functions but any major stuff would stand out immediately. So would an command that fetches a malware zip from a weird URL.

            Meanwhile, if you add node or python to the dependencies, and then run a command that installs a perfectly legit npm or pip module, nobody would bat an eye. It’s impossible to figure out that among the many upstream dependencies of that module there might be one that was subverted to discreetly run malware.

            AUR is a very bad idea tbh and should not be used by the faint of heart. It makes it entirely too easy to pull this kind of crap.

            • lofi@piefed.socialEnglish
              4 hours

              AUR itself is fine, the issue in this case is more with the automated system allowing anyone to take over orphaned/abandoned packages. This is a targeted attack leveraging that system.

            • jdr@lemmy.ml
              6 hours

              AUR is a great idea, misusing it is a bad idea.

      • ghost_laptop@lemmy.ml
        8 hours

        this is like the 4th npm vulnerability in months, they used that because npm is shit and easy to exploit

    • sanpo@sopuli.xyz
      11 hours

      What a terrible article.

      “Multiple” packages mentioned in the title, but they’re unable to actually name more than one in the article…

      //edit
      Actually, they did leave a link to the mailing list thread at the very end.
      I should learn to read the entire article…

      • Bananskal@nord.pubEnglish
        8 hours

        I was wondering why you felt that way 😅 Usually this source produces good content lol

    • MonkderVierte@lemmy.zip
      10 hours

      … how do i make npm generally not work on Linux? I don’t use it and with how attack vectors are the majority of cases via NPM… and can be shipped as a binary to <arbitrary temp location>.
      Environment variables pointing to /dev/null? Application firewall? Or would just blocking some domain/IP suffice?

      • Destide@feddit.ukEnglish
        9 hours

        sudo {package-manager} remove npm nodejs sudo {package-manager} purge npm nodejs

        npm: sudo tee /usr/local/bin/npm >/dev/null <<‘EOF’ #!/bin/sh echo “npm is blocked on this system.” exit 1 EOF

        sudo chmod 755 /usr/local/bin/npm

        npx: sudo tee /usr/local/bin/npx >/dev/null <<‘EOF’ #!/bin/sh echo “npx is blocked on this system.” exit 1 EOF

        sudo chmod 755 /usr/local/bin/npx

        Might break somethings but that’s a part of boycotting something I guess.

    • vapeloki@lemmy.world
      8 hours

      Maybe, just maybe, and nearly unmoderated repository where everybody can create packages, is not so secure after all? /s

      And AUR is the reason I keep arch miles away from any of my systems.

      • Hemingways_Shotgun@lemmy.caEnglish
        6 hours

        Nobody ever says the AUR is safe. In fact they say specifically that it’s not; for exactly the reasons you mention.

        That’s why it’s the Arch USER Repository. You take your fate in your own hands when you choose to use it.

        As for your comment about using a distro that has everything in the main repo? How so? Every flavour has software that isn’t included in the main repos. For Arch based systems, that means either the AUR or Flatpaks. For Debian based systems, that means adding new repos to your sources, which is exactly as unsafe as the AUR in most cases, or using Flatpaks.

        If you’ve ever added a repo on Ubuntu, than you’ve essentially used their version of an AUR. The end result is no different.

      • Strit@lemmy.linuxuserspace.show
        8 hours

        You do have the choice to simply not use the AUR. Has nothing to do with using Arch or not.

        And no one has ever claimed the AUR to be safe.

        • ghost_laptop@lemmy.ml
          8 hours

          yeah, it’s essentially, you want software that’s no the official repo go there.

        • vapeloki@lemmy.world
          6 hours

          True, I also have a choice to use a distro that delivers the software I need in the main repo.

        • vapeloki@lemmy.world
          7 hours

          And then, where get I 70% of my packages I need? For example a useful browser like brave? Yeah …

              • naught@sh.itjust.works
                1 hour

                There is an install script for linux front and center on the page (classic curl into sh). For other distros, they’re having you add their own repository and install from that. Just as sketchy.

                It’s unwise to trust Brave, anyway.

                • vapeloki@lemmy.world
                  59 minutes

                  That was an example. And as someone who works in sec, I know the benefits of a package manager.

                  “I only need to trust brave”.

                  I don’t get it, static linking, curl to bash pipes and userepace install and everybody thinks that is fine. But as someone who needs to write a security concept for Linux in the office so I can finally use it at work, no that is not ok. That is shit.

                  Rust on desktop is also a nightmare for example.

                  No I do not hate arch, I hate concepts and mindsets creeping into the Linux world

      • juipeltje@lemmy.world
        10 hours

        You run the same risks downloading torrents of games or porn on whatever OS you use. This isn’t really linux related, it’s related to downloading unverified files uploaded by random people online, which is what the aur basically is.

        • Strit@lemmy.linuxuserspace.show
          10 hours

          Which is why users are recommended to audit the PKGBUILD and related files before building and installing the packages. In the end, what happens during the installation of AUR packages are the users responsibility.

      • Hemingways_Shotgun@lemmy.caEnglish
        6 hours

        Technically there is no such thing as a “completely secure system”

        What Linux offers is the fact that by nature of being FOSS, there are millions of eyes on source code at any one time, and so potential exploits can usually be spotted and mitigated faster than waiting for the software maker to fix their own shit. And the fact that, in most cases with Windows, the call is coming from inside the house, so-to-speak; It’s the operating system itself that is malicious and anti-user.

        To put it simply: Yes…linux can be attacked just like windows. But we live in an open-concept house with no hidden corners, and we’ve got a pretty great neighbourhood watch thing going on. Versus Windows users who live a house filled with cameras and alarms, surrounded by a giant wall that they can’t see over, and they have to rely on the security company to do anything about the burglar trying to get in.

        I’ll take my chances with the community approach every time.

      • scintilla@piefed.zipEnglish
        10 hours

        This is the same as an EXE having an issue and then blaming Microsoft. At least on Linux you have the option to not install from a 3rd party.

        • subOrange@lemmy.world
          7 hours

          Well, but people do blame Windows!

          And there you also have the choice not to install from any source, just the Microsoft Store.

      • ghost_laptop@lemmy.ml
        8 hours

        this affects only a fraction of arch users, and it would be impossible for it to work on nix systems for example, on top of that, this is basically npm’s fault