A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
Holy shit it’s like all of Python.
Yeah, Python has been a massive vulnerability for a long while. And the AUR has similar issues. This is only getting widespread coverage now. But it’s always been a risk.
Well, those are mostly extension libraries, stuff “normally” installed using pip. Arch is kind of unique that they encourage using system aur over pip, npm and other package managers. While it is a big radius, none of the python packages stick out to me, but maybe I just haven’t encountered the popular ones.
It isn’t really all that unique? Debian does it, el does it, probably almost any popular distro?
I suppose it’s become more common since PEP 668 was introduced, less unique these days.
The attackers specifically targeted orphaned projects on AUR so it’s no wonder most of those aren’t familiar to us.