Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages

rafssunny@lemmy.zip · 13 hours ago

Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages

brokenwing@discuss.tchncs.de · 10 hours ago

What to do if I found a package I installed to be in that list? libgdata to be specific?

Petersson@feddit.org · edit-2 8 hours ago

Have a check if you updated it recently (PKGBUILD history, about June 10-12). If not you’re fine.

If:

Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys
Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit (E: It’s supposed to be an eBPF rootkit)

(reference)

Personally I would reset everything if I got anything, to kill both any infection and my paranoia. Then reset credentials.

A_norny_mousse@piefed.zip · edit-2 7 hours ago

Probably reinstall (all is supposed to be fixed as of over 12h ago). This time check the PKGBUILD and also whichever (git) repo the software is pulled from.
See if infected versions of npm packages atomic-lockfile and js-digest are installed.

See here: https://bbs.archlinux.org/viewtopic.php?id=313892

ilmagico@lemmy.world · 10 hours ago

Was it installed from the aur? If not, you’re fine

StarDreamer@lemmy.blahaj.zone · 7 hours ago

libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn’t remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you’d inadvertently update libgdata from an AUR source if you’re using an AUR helper.