Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.

The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux’s community package collection, and it is separate

    • droppedtacos@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      22 days ago

      Also, if you’re running an arch based system and you’re worried, in the terminal you can run:

      pacman -Qm

      to display what’re considered foreign packages that your system has installed and cross reference them, if any, with the list found here:

      aur_check

    • Sammirr@aussie.zone
      link
      fedilink
      English
      arrow-up
      9
      ·
      22 days ago

      It means that if you’ve installed (built) anything from the AUR in the last ~48 hours, and you were unlucky enough to choose an impacted package, then consider you machine compromised. The article does a better job of explaining.