Seems like some niche packages in the AUR which were orphaned have been systematically compromised and injected malware during build. There are lists of packages out there. You can check your machines if you are affected. If you haven’t updated since May 31st you are probably fine but check anyways. Don’t be lazy like me and always check your PKGBUILDS.
https://www.reddit.com/r/archlinux/s/qH4pgSYvG0
Update: Looks like it is not over and they are changing tactics
https://www.reddit.com/r/archlinux/s/RS0Ftaips1
Appearently new compromised packages are being released and payloads are changing or rotating. Probably a good idea to avoid installing or updating anything from the User Repository until this is over.
From Reddit / Archlinux.org :
PSA – From [arch-announce] Active AUR malicious packages incident
Arch Linux: Recent news updates:
We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed.
While this is happening, and while we work to create a more permanent solution, users may see issues with the following:
- Creating new accounts on the AUR
- Pushing package updates
- Adopting or creating new packages
We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time.
If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.
URL: https://archlinux.org/news/active-aur-malicious-packages-incident/
Consider subscribing to one or some of these Arch mailing lists:
https://lists.archlinux.org/mailman3/lists
