FRESH

Hacker News

Arch Linux AUR Hit by Another Wave of Now More Sophisticated Malware Attack

57 points by ImJamal

by helterskelter

1 subcomments

This is why I avoid AUR, it's too easy to become complacent. If I really want something from AUR I literally just look at the PKGBUILD for compilation instructions and do it manually by myself, but if it's got so many patches or dependencies that I can't go through them all by hand I just find another solution or do without.
This is also why I really dislike a lot of modern languages with automated fetching of dependencies. It really fosters a sloppy attitude toward your supply chain because it's just too damned convenient. With a reasonably sized Go project for instance, you may be pulling in code from dozens of different git repos. It only takes one compromised repo or malicious package to sink the ship.

by DavideNL

0 subcomment

Since Arch is hosting / facilitating the AUR on the archlinux.org domain, i think this causes less technical users to assume some level of trust. Even when they are aware that these are 3rd party packages.
Also i find it surprising that there's only very little/slow communication from Arch via their news channel. For example, how users can check for infections.

by hollow-moe

2 subcomments

Is the nixpkgs repo more "resilient" to these kind of attacks since an attacker would need the approval of a member with merge permission ?

by skeledrew

0 subcomment

I wouldn't be surprised if this is some kind of implicit "use AI or else" statement. I've been anticipating some kind of hit on Gentoo given their outspoken no-AI stance. Unsure of Arch's.

by bfrog

1 subcomments

I’m moving all my machines to NixOS. I’d done this before but ran into time constraints creating ports for convoluted binary software. With LLMs now as good as they are it’s quite possible this isn’t a problem anymore. I’ll be finding out.

by Shank

1 subcomments

Is there any information on if this is the same attack vector (orphaned packages that were adopted)? I believe they already locked down adoption, but maybe also a combination of existing maintainers being taken over?

by 7e

2 subcomments

Companies like Anthropic and OpenAI need to sponsor open source projects by giving them free agent credits. Otherwise, bad actors can just outspend and totally overwhelm the somewhat dim and very overworked set of human maintainers. Humans in software are obsolete, full stop.