I feel like this always happens to npm specifically. They're definitely doing something wrong 💀
this post was submitted on 12 Jun 2026
200 points (99.0% liked)
Linux
65894 readers
659 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
it's the way it's been setup; it needs a thorough revamping to make it as resilient as other supply chains.
not that other chains are bullet proof, it's just that npm people need to up their game to be atleast as good as the others.
Could happen with pip too.
To potentially prevent this entire class of npm attacks in the future, you could edit
/etc/pacman.conf, uncomment
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg =
And set it to IgnorePkg = npm
Your system should prompt you to accept installing npm because it's in the ignore list. These packages set it as a dependency, so that gives you a chance to notice that something's off and refuse the install. This assumes you don't already have npm installed or need it for some reason.
edit: word is that bun command is being abused as well and may be worthwhile including in the space separated list:
IgnorePkg = npm bun
I want to call to your attention this article by Marcus Ranum titled "The six dumbest ideas in computer security" and within it, the section #2 on "enumerating badness".
This is what you try here.
What a terrible article.
"Multiple" packages mentioned in the title, but they're unable to actually name more than one in the article...
//edit
Actually, they did leave a link to the mailing list thread at the very end.
I should learn to read the entire article...
I was wondering why you felt that way 😅 Usually this source produces good content lol
attempt to download npm-based payloads during installation
Why npm and not python? It's installed on every arch system and wouldn't bring unnecessary attention 🤷
Because the NPM is a complete mess and it's super easy to exploit for supply-chain attacks by sneaking malware into one of the billion dependencies required by most popular packages.
But if you look at some of the packages, they explicitly added npm as a new dependency. It'd be much easier to sneak in a python script.
AUR "packages" are just a recipe file that runs some commands that sources packages from somewhere else and builds them then puts them in the format required by the AUR package manager.
Normally it's a source tarball downloaded directly from the project's Git repo. But it can also fetch and install a binary package (for closed source software). Or it can install Node modules, or Python modules etc.
Point is, you can't inject a script directly in AUR itself. You could add the malicious code directly to the recipe file but it would be obvious. You could also download a zip with the malware directly, but it would also be obvious.
So what they do is add the malware to modules published on another platform, and they're downloaded indirectly, as a dependency of the Nth grade.
It's very hard to detect, you can't really notice this kind of attack with a glance at the recipe.
I see. Thanks for the explanation.
But why would they care about supply chain attacks if they already have hacked into the package you're requesting? In that case, executing python scripts would be less noticeable
Here's the AUR recipe (PKGBUILD file) for a random package:
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nautilus-git
This is a standard format for the recipe. It's Bash code used to define variables and functions.
You'll notice there's no place to sneak in a Python script. There is some brief Bash code in the functions but any major stuff would stand out immediately. So would an command that fetches a malware zip from a weird URL.
Meanwhile, if you add node or python to the dependencies, and then run a command that installs a perfectly legit npm or pip module, nobody would bat an eye. It's impossible to figure out that among the many upstream dependencies of that module there might be one that was subverted to discreetly run malware.
AUR is a very bad idea tbh and should not be used by the faint of heart. It makes it entirely too easy to pull this kind of crap.
AUR is a great idea, misusing it is a bad idea.
AUR itself is fine, the issue in this case is more with the automated system allowing anyone to take over orphaned/abandoned packages. This is a targeted attack leveraging that system.
this is like the 4th npm vulnerability in months, they used that because npm is shit and easy to exploit
load more comments
(1 replies)
That's another reason I like cachyos: they have a curated list of aur pkgs in their repo.
I too use CachyOS. But i am very new to it. Why are we more 'protected' than straight up Arch users? I like Cachy, but have a gripe with how some applications behave, especially Java based Apps, that have a native installer in AUR (not building from source). I have one application that is built in JAVA, and the text is so freaking small, all the pop-up windows open on the wrong place which makes the pointer inaccurate etc. But I digress. The question was more why should we feel more relaxed than the Arch guys and gals?
It's like having a "double check" from a trusted source, they compile selected stuff from the aur so I suppose it's a little more safe for the random user.
load more comments
(2 replies)
Me, a Debian user watching that shitshow 😎
Me, an Arch user (btw), watching the NPM chaos on any distro...
Me an arch user who hasn't booted their computer in over a week 🙂
That's okay, just be very careful updating rather manually.
To be fair, basic checks should be done not just make account and in next 10 seconds accept abandoned package and publish malware.
I wasn't hit according to the public script but I am definitely rethinking my use of Arch and most certainly refraining from the AUR as much as possible going forward. This is far too many events in such a small period of time for me.
.... how do i make npm generally not work on Linux? I don't use it and with how attack vectors are the majority of cases via NPM... and can be shipped as a binary to .
Environment variables pointing to /dev/null? Application firewall? Or would just blocking some domain/IP suffice?
sudo {package-manager} remove npm nodejs sudo {package-manager} purge npm nodejs
npm: sudo tee /usr/local/bin/npm >/dev/null <<'EOF' #!/bin/sh echo "npm is blocked on this system." exit 1 EOF
sudo chmod 755 /usr/local/bin/npm
npx: sudo tee /usr/local/bin/npx >/dev/null <<'EOF' #!/bin/sh echo "npx is blocked on this system." exit 1 EOF
sudo chmod 755 /usr/local/bin/npx
Might break somethings but that's a part of boycotting something I guess.
view more: next ›