this post was submitted on 14 Jun 2026
1 points (100.0% liked)

Australian Tech

298 readers
2 users here now

For techs and techy stuff.

founded 2 years ago
MODERATORS
 

cross-posted from: https://lemmy.zip/post/66075617

top 9 comments
sorted by: hot top controversial new old
[–] TheHolm@aussie.zone 0 points 2 weeks ago (2 children)

How can it happen? Were the maintainers of all these 15xx packages brainwashed?

[–] lurch@sh.itjust.works 0 points 2 weeks ago (1 children)

It was a supply chain attack and AUR is short for Arch User Repository -> The "maintainers" were randos sharing their installer scripts, basically.

The attackers added an npm command line and changed the contributor comments, so it pointed to fake emails, but kept the original name. Example: https://aur.archlinux.org/cgit/aur.git/commit/?h=runescape-launcher&id=cf0b627a6c36be967411063e2e2629f80bb6d51f

[–] Sxan@piefed.zip 0 points 2 weeks ago

I got lucky on þis one. I uninstalled npm ages ago and won't install anyþing þat tries to pull it. Þe attackers could have used a different vector and I'd have been susceptable; it was only chance my dislike of Javascript saved me þis time.

[–] shirro@aussie.zone 0 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

AUR is user generated content and it isn't moderated or enabled by default. It is a place for regular users to share PKGBUILDS which are scripts that automated building and installing software. Hard to explain now as it belongs to a different time and ethos when most people in the FOSS community were trying to help each other and build better things. Sort of like how in small town Australia or NZ people all pitched in to help each other in old times and you didn't lock your house or car.

It was always drummed into Arch users that AUR was user generated and potentially unsafe (just from broken packages, not necessarily malicious) and to vet the content before use. But we got tools to make updating AUR packages too easy and even experienced users can get slack.

There are some high quality packages on AUR that will eventually be vetted and adopted as official and some that are very well maintained by trustworthy people. But there is also a lot of crap and packages that have been abandoned which can be claimed by a malicious org. That is the source of the crazy number of packages. The number of people compromised was probably very small but its a valuable lesson.

AUR is not too different to Microsoft owned github/npm which distributed most of the malware or to the various package managers that many software devs rely on far to heavily. Supply chain attacks will continue to be a huge threat as long as people are pressed for time and lazy and I don't think llms are going to be a magic bullet.

[–] mertn22@aussie.zone 0 points 2 weeks ago (1 children)

Thanks for that detailed description of aur. I came here to make a snarky comment because I use debian. But this could happen with any distro. Especially when using docker:latest images from random places.

[–] shirro@aussie.zone 0 points 2 weeks ago* (last edited 2 weeks ago)

I am a debian user as well. It's what I have used for servers and dev for over 25 years. No distro is perfect. Debian maintainers sometimes add too many patches to upstream and introduce bugs and vulnerablilities. This is particularly nasty when SSH is involved. One of the things I like about arch is how little the maintainers alter upstream. The memes about arch aren't much like the reality.

The intention of the AUR was really good. If you wrote an installation script for a niche package or with different build options you could share it with others and get some skills and feedback on packaging. It was like Ubuntu's PPAs but simpler.

Like anything good it just takes a few bad actors. We just can't have nice things it seems. The whole FOSS ecosystem is under attack and we are all in it together. Shit like XZ can get any of us. It's not really a good time for distro wars.

[–] eureka@aussie.zone 0 points 2 weeks ago (2 children)

I don't understand the point in reporting global tech topics in Australian Tech - it seems redundant to me.

[–] shirro@aussie.zone 0 points 2 weeks ago

While I agree at some level my experience of seeing local user groups disappear, regional mailing lists go dead, forums shut down because facebook groups or reddit exist is that local communities matter and we are all far poorer for losing them.

The corporate global Internet is not the same. It is a regression and it is very vulnerable to bad faith actors. This isn't much better but if its a step towards reclaiming what we once had then perhaps we should encourage it.

[–] Dimand@aussie.zone 0 points 2 weeks ago

It's a global issue. But I'm happy to see a local discussion about it. I am much more likely to participate here.