this post was submitted on 12 Jun 2026

196 points (99.0% liked)

Linux

65758 readers

525 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

196

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages (linuxiac.com)

submitted 2 days ago by Vittelius@feddit.org to c/linux@lemmy.ml

59 comments fedilink hide all child comments

Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (...)

Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.

Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.

you are viewing a single comment's thread
view the rest of the comments

[–] vapeloki@lemmy.world -5 points 2 days ago (4 children)

And then, where get I 70% of my packages I need? For example a useful browser like brave? Yeah ...

[–] aichan@piefed.blahaj.zone 3 points 16 hours ago

Ew, crypto-pilled adware Brendan Eich browser mentioned 🤮

[–] anyhow2503@lemmy.world 1 points 14 hours ago (1 children)

What the fuck kinda shitshow could you be running that you'd have to get 70% of your packages from the AUR?

[–] vapeloki@lemmy.world 1 points 11 hours ago

Security Research, software developer, strange hardware configurations.

And of course Software I need is not including their deps

[–] SystemQ@lemmy.world 5 points 2 days ago* (last edited 2 days ago)

Flatpak exists

https://flathub.org/en/apps/com.brave.Browser

[–] naught@sh.itjust.works 3 points 2 days ago* (last edited 2 days ago) (1 children)

same way you get packages anywhere else

[–] vapeloki@lemmy.world 0 points 2 days ago (1 children)

Anywhere else, I just need the package from the brave project or their repo. I trust the brave project, I do not trust the AUR for reasons.

[–] naught@sh.itjust.works 6 points 2 days ago (2 children)

There is an install script for linux front and center on the page (classic curl into sh). For other distros, they're having you add their own repository and install from that. Just as sketchy.

It's unwise to trust Brave, anyway.

[–] Cyber@feddit.uk 3 points 2 days ago (1 children)

curl | sh is the worst security front door I've seen

At least check the script first so it's understood

[–] naught@sh.itjust.works 2 points 1 day ago (1 children)

On one hand I agree, but how different is it really from running an opaque executable or installer.

[–] Cyber@feddit.uk 2 points 1 day ago

Well, with the script at least you can follow the actions first, so it's better...just don't run it blindly because 2 minutes ago the attacker just put an additonal line of code in...

The executable / installer is more of a Windows thing and we've seen how that arms race is going... even Microsoft are trying to create a Linux-style repo called Windows Store.

[–] vapeloki@lemmy.world 3 points 2 days ago

That was an example. And as someone who works in sec, I know the benefits of a package manager.

"I only need to trust brave".

I don't get it, static linking, curl to bash pipes and userepace install and everybody thinks that is fine. But as someone who needs to write a security concept for Linux in the office so I can finally use it at work, no that is not ok. That is shit.

Rust on desktop is also a nightmare for example.

No I do not hate arch, I hate concepts and mindsets creeping into the Linux world