Major attack on Arch Linux: massive malware injection into the AUR
Arch Linux continues to struggle with a large-scale malware wave in its user repository AUR (Arch User Repository). This is currently literally flooded with malware. The attack continues and becomes more sophisticated.
Over 1500 infected packages
After the developers behind the Linux distribution initially assumed that they had brought the security incident under control with more than 1,500 affected packages in which malicious code was integrated, further manipulated code submissions have now been discovered. The new wave of attacks is considered to be more technically sophisticated because the malicious functions were deliberately concealed, the magazine reports Phoronix.
A few days ago it became known that hundreds of packages in the AUR maintained by the community had been tagged with malicious code. While there was initially talk of around 400 compromised packages, over the course of the investigation the number rose to around 900 and ultimately to at least 1,579. According to the Arch Linux developers, all known malicious changes have now been removed from the repository. However, they noted that even this number may not capture all infected packages.
But just one day after the supposed cleanup, new cases appeared. A developer with the pseudonym “a821” reported additional compromised AUR packages. Among other things, various Node.js components, a package for Plasma 6 applets, Firefox-related extensions, the Aura browser, extensions for LibreWolf, a plug-in for NeoVim and other software packages were affected. The suspicious changes were removed after a short time.
The future of the AUR is up for debate
A little later, security researcher Nicolas Boichat discovered additional manipulated packages. He used a locally operated AI model based on Gemma E2B to identify suspicious code. According to him, the new malicious code variants were significantly more sophisticated than the attacks previously discovered. In particular, the harmful commands relating to the Bun tool were so obscured that their actual function was difficult to recognize.
The incident once again raises questions about the security of the AUR. Unlike the official Arch Linux package sources, the repository is maintained by users who can provide their own software packages there. Given the repeated findings, some observers are calling for additional protective measures or even a temporary shutdown of the service until more effective security controls can be put in place. Meanwhile, the Arch Linux developers are continuing their investigations.
Research Snipers is currently covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More. Research Snipers has decade of experience in breaking technology news, covering latest trends in tech news, and recent developments.
1 thought on “Major attack on Arch Linux: massive malware injection into the AUR”