• helpImTrappedOnline@lemmy.world
      3·
      18 hours ago

      Well that’s fun. Odd someone named Campbell asking was for a tomato soup recipe, you’d think that would just be built into their bloodline or something.

      While I’m glad no JS package managers were hurt to make the soup, I do wish the recipe didn’t waste so much water.

    • magnolia_mayhem@lemmy.world
      2·
      18 hours ago

      Just keep sending requests and use as many tokens as possible. My wife spent 30 minutes on the phone with a bot the other day, just getting it to dump huge sets of instructions to waste tokens.

    • Crozekiel@lemmy.zipEnglish
      2·
      23 hours ago

      I am really curious about this. If someone had ClamAV and updated any of these packages from the AUR during the attack, would ClamAV have “solved” that problem? I would love to know the effectiveness of that.

    • Siegfried@lemmy.world
      4·
      1 day ago

      Did clamav work with AUR affected packages? Sorry if the question is idiotic, cause im ignorant when it comes to security

    • placebo@lemmy.zipEnglish
      10·
      1 day ago

      Tbf most major attacks we saw recently are cross-platform thanks to npm. AUR has always been a security risk.

    • Alaknár@sopuli.xyz
      4·
      1 day ago

      Wasn’t that long ago when I was downvoted to oblivion for saying that. Glad to see the community is maturing.

      • placebo@lemmy.zipEnglish
        9·
        1 day ago

        But your brain should be the best antivirus you have.

        It’s useful to use brain, but any security layer has holes which is why it’s good to have several layers. Some attacks might be way beyond user’s understanding or come from trusted sources.

      • UnderpantsWeevil@lemmy.worldEnglish
        5·
        1 day ago

        But your brain should be the best antivirus you have.

        True of virtually every OS.

        But “only stupid people get viruses” is exactly the kind of trap that catches folks.

      • AceSLive@lemmy.world
        2·
        1 day ago

        I have eset home but now I’ve gone completely linux, and they don’t do it for home - only business

        Which sucks, as I have a year left on my subscription I can no longer use :/

    • Ghoelian@piefed.socialEnglish
      101·
      2 days ago

      one thread I found from 2 years ago where someone asked for the same thing, a lot of the replies are just “you don’t need antivirus on Linux” lmao

      • CeeBee_Eh@lemmy.world
        23·
        1 day ago

        a lot of the replies are just “you don’t need antivirus on Linux”

        Which is completely true when using distros like Debian, Fedora, RHEL, OpenSuse, etc.

        Arch (and its derivatives) are designed to be on the bleeding edge with ALL the paper cuts that come with it. It is absolutely not focused on stability or security. If you want those things then stick to Debian or Fedora Silverblue.

        And the second you introduce npm to your system you can throw any semblance of security out the window, regardless of what your operating system is, and no antivirus is going to save you.

        That being said, the fundamental security models between Linux and Windows are very different. And on Linux the overall impact will likely be far less damaging (technologically, not financially) than on Windows. Windows “security” is just a corporate marketing campaign.

          • CeeBee_Eh@lemmy.world
            21·
            21 hours ago

            npm, yes. Snap and flatpak? No. I’m not saying it’s impossible to get malware. The difference is that snapd and flatpak have various levels of process isolation that largely mitigates any potential issues.

            The argument isn’t “Linux doesn’t have malware”, the argument is “you don’t need to run antivirus on Linux”. Those are two very different things.

            Not even the best antivirus will protect you completely, at that point you need good computer hygiene.

            • Crozekiel@lemmy.zipEnglish
              1·
              4 hours ago

              Eh. Flatpak has the option for process isolation, but it kinda works similarly to how android apps have default permissions set and the packager can just go “nah, this gets FULL permissions” and unless you go look and change it yourself, the program isn’t restricted at all. I don’t use ubuntu/snapd so can’t speak to that.

              There are more protections on flathub than the AUR for sure - the AUR is closer to just downloading random shit off the internet than a true repository. That said, it’s crazy to assign the vulnerabilities of the AUR to Arch as a whole… The Arch repos proper (and even Chaotic AUR) didn’t have problems during any of this.

  • gerryflap@feddit.nl
    9·
    2 days ago

    I learnt a lesson yeah. It looks like I got away, there’s no rootkit, I found nothing weird running, I don’t have npm Installed, and up until now it doesn’t seem like the packages I had installed were compromised. But I had way more AUR packages installed than I was aware of. And I was just updating them without really caring about the pkgbuild, I have better things to do. Multiple packages were outdated crap that shouldn’t have been there anymore.

    I was careless and took too much risk. I reduced the Installed AUR packages to a minimum, and from now on I will verify the PKGBUILDs on every update. Maybe Arch isn’t really what I need. I’m on the LTS kernel and I no longer really use the AUR. But switching will be a huge hassle and this setup will work well from here on out, so I’ll stick to it for now

    • prole@sh.itjust.worksEnglish
      31·
      1 day ago

      I’ve been using Bazzite for a couple of years now and it’s great. Almost boring how stable it is.

      And I access the AUR with an Arch distrobox if I need to

      • Crozekiel@lemmy.zipEnglish
        3·
        23 hours ago

        errr… just FYI, if you have AUR packages through distrobox, you are basically just as vulnerable as someone running vanilla arch. You checked if you have anything form the AUR on the nearly 2k (last I checked) package list?

  • macniel@feddit.org
    983·
    2 days ago

    Linux Users: haha those silly windows users, always searching the web for their software and getting viruses.
    Linux Users: oh no I got malware by searching the AUR!

    • rtxn@lemmy.worldM
      421·
      2 days ago

      The AUR is still safer. One, it is at least minimally moderated. If a malicious package is detected, it can be reported and removed. Two, the installer is usually not just a black box executable. Three, most of the build and runtime dependencies are from the official Arch repos, which provides some protection against supply chain attacks. For Windows installers, you have to trust the distributor to bundle clean DLLs (for that matter, the same applies to AppImages).

      But if it starts downloading anything from NPM… ^C and run.

      • Lucy :3@feddit.org
        23·
        2 days ago

        The most unsafe factor of the AUR is aur helpers and their goal to dumb everything down and streamline the process as if the AUR where an official repo

        • CubitOom@infosec.pubEnglish
          81·
          2 days ago

          I’m not entirely sure I agree, I think the issue is with default settings.

          Like you could use both yay and paru to diff the PKGBUILD of the most recent updat and then read it, and then approve each. And I think that’s pretty helpful. But you could also just blindly accept the update with the right config or flag and that is not a good practice.

          • bitfucker@programming.dev
            3·
            2 days ago

            Yeah, use and promote aurto instead. They require you to trust the maintainer and would remove the package from the local repo if the maintainer is changed

            • CubitOom@infosec.pubEnglish
              2·
              1 day ago

              I’m not sure if loosing the maintainer is to only thing we should be going off of here, but I like the name.

              • bitfucker@programming.dev
                1·
                1 day ago

                Well, it is just like a distro maintainer account anyway. If the maintainer account is compromised then gg for the whole distro. That’s what happens with other supply chain attacks as well and yes, I do think we need a way to fix that without compromising on ease of usability

                • CubitOom@infosec.pubEnglish
                  1·
                  1 day ago

                  We arnt talking about a distro maintainer, but an aur package maintainer, which can be anyone.

    • Lucy :3@feddit.org
      9·
      2 days ago

      By misusing the AUR and ignoring every warning telling you to read and understand the pkgbuild or don’t do it.

  • HisAssholiness@lemmy.ml
    151·
    2 days ago

    Arch users just randomly dropping “I use Arch btw” everywhere, it was only a matter of time.

  • Shanmugha@lemmy.world
    91·
    2 days ago

    I am at “no fucking yays and the bunch, check the package create/update dates, read PKGBUILD, only update when necessary”. Has served me well so far