Tech

Malicious apps have infiltrated the Arch User Repository – how to protect yourself

Photo of Mosegas Mosegas Send an email 3 hours ago
0 0 4 minutes read
Malicious apps have infiltrated the Arch User Repository – how to protect yourself

Elyse Betters Picaro/ZDNET

Follow ZDNET: Add us as a favorite resource on Google.

Highlights taken by ZDNET

  • The Arch User Repository was found to contain malicious applications.
  • This was found twice within a week.
  • Users are warned to be careful, but there are other, simpler ways.

Investigators at software management company Sonatype discovered that the Arch User Repository contained about 1,500 malicious packages, the company said in a blog post updated on June 12.

“We continue to encourage all users of AUR packages to update everything PKGBUILD and include script changes when updating, especially at this time. If you see any suspicious commits in the package you are using, please contact Arch staff via the aur-general mailing list for more information,” the Arch team said in a brief statement.

This does not sit well with a repository that was created to significantly increase the amount of software available to Arch (and Arch derivative) users.

Also: Archcraft is a solid, fast distro for anyone ready to move beyond Linux starters

The AUR is essentially a way for developers to make new software available to Arch Linux users before it’s officially added to the Arch repositories. It is a set of package definitions (named PDKGUILDs) that make it possible to compile a package from source code using makepkg tool and install the package with the Arch Linux package manager, pacman.

The thing about the AUR is that anyone can upload packages to it, and the Trusted Users group is charged with keeping tabs on what’s coming in.

You see where this is going, right?

Imagine you’re one of those volunteer Trusted Users charged with testing every app that gets sent to a repository. Now, imagine you are a bad actor who wants to install malware on that site. You create malware, pass off the app as legitimate, and assume that Trusted Users won’t have time to dig through every line of your code. Trusted User performs a quick scan of your code and detects no obfuscation.

Blame! You just added a malicious app to the AUR.

Within a one-week period, nearly 1,500 malicious applications entered the repository, which means something has to change; otherwise, Arch (and Arch-based) users will not be able to trust the AUR. There have been no reports of what these malicious apps do, and who delivered them.

Also: I’ve used Linux for 30 years – 4 frustrations left, including 2 that brought me back to MacOS

In the meantime, I have a few recommendations for Arch users.

Remove, remove, remove

First, you need to pull whatever you installed from the AUR, and hope it’s not too late. At this point, I don’t know how bad the malicious code that got into the AUR is, so I can’t say anything about the damage it could have or have done to your systems.

Fortunately, to remove the package, you can use pacman like this:

sudo pacman -R PACKAGENAME

Where PACKAGENAME is the package to be removed.

Once you’ve done that, check to make sure the package has been removed with the command:

pacman -Q

The above command will list all the packages installed on your system.

Stop using AUR

Next, stop using the AUR, at least until developers and trusted users can come up with a solution to avoid this problem. After taking care of that, consider the AUR restrictions until developers find a way to make it more secure.

After you’ve removed all the packages and stopped using the AUR, do yourself a favor and use a tool like Wireshark to inspect any suspicious outgoing traffic. If you see something you don’t know, look it up. If unknown or known to be related to malicious code, block outgoing traffic or reinstall your OS.

Don’t take any chances.

Find a universal package manager

Instead of AUR, install Flatpak and install apps from there. With Flatpak, you’ll have more apps to install, so you won’t miss the AUR nearly as much as you think. You can install Flatpak with the command:

sudo pacman -S flatpak

After installation, add the Flathub repository with:

flatpak remote-add –if-not-exists –user flathub https://dl.flathub.org/repo/flathub.flatpakrepo

You can add anything you need, such as:

flatpak enter PACKAGENAME

Where PACKAGENAME is the name of the package found in Flathub. You’ll find that there are apps on Flathub that weren’t available on the AUR (even proprietary apps like Spotify and Slack).

Also: After 30 years with Linux, I gave Windows 11 a chance – and found 9 glaring problems

It’s a shame that bad actors can ruin something for everyone. While Arch Linux is a surprisingly secure OS, AUR is a different story. I’ve never depended on the AUR (in fact, I rarely use it), so this doesn’t affect me nearly as much as it might those who do.

To fix this problem, I would suggest that the AUR needs a better system to verify the integrity of the software submitted. I realize that some may consider it an insult to what AUR has been for years, but if problems like this continue, AUR will eventually become a ruin.

About 2,000 dangerous apps during the week nothing to look at. And even if the devs can release the clear every time malicious apps are found, at some point, no one will trust the AUR, so something amazing has to change.

Even this Reddit thread from five years ago shows that this problem has been a concern for a long time. It also highlights the fact that the onus is on the user to check everything they enter. To that, I would say, how will you attract new users if they are expected to test the software they want to use for malicious code? The answer… You can’t.



Photo of Mosegas Mosegas Send an email 3 hours ago
0 0 4 minutes read
Photo of Mosegas

Mosegas

Related Articles

The FCC is once again opening the door to Chinese toys, but only smaller ones

The FCC is once again opening the door to Chinese toys, but only smaller ones

1 hour ago
We Live All Day Now And LiberNovo Thinks It Needs A Fix

We Live All Day Now And LiberNovo Thinks It Needs A Fix

10 hours ago
KDE Plasma 6.7 has more useful features than I expected – and you will probably find them soon

KDE Plasma 6.7 has more useful features than I expected – and you will probably find them soon

11 hours ago
Malicious JetBrains Marketplace plugins steal AI API keys from developers

Malicious JetBrains Marketplace plugins steal AI API keys from developers

14 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by