• just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    26 days ago

    They should have some sort of static code scanners on the repos at rest at this point that look for certain patterns and issue warnings.

    • deadcade@lemmy.deadca.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      26 days ago

      Since this installed a malicious dependency from NPM (and later with bunjs) in the pre install script, it would need at least complex correlation to catch. Maybe building and installing all AUR packages, which would cost far too much for the Arch team.

      Individually and automatically scanning only the PKGBUILDs (the stuff actually on the AUR) would likely not have caught this.

      That doesn’t mean it’s a bad idea to run a basic scan over every change, but it wouldn’t magically “fix” aur malware.

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        26 days ago

        It’s enough to build a pattern match and scan against it being elsewhere. Surely they did at least much to find all these packages with malware.

  • DevDave@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    26 days ago

    Definitely a few unfortunate victims to stuff like libyami if using some sort of shell autocomplete. Few others would likely catch younger people, eg the implied apk side channel deployment packages.

  • northernlights@fedia.io
    link
    fedilink
    arrow-up
    3
    ·
    26 days ago

    how did this happen? the linked thread show people identifying the infected packages and cleaning them up but no word about how it happened or how to prevent it.

    • rozodru@piefed.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      26 days ago

      I think it was essentially orphaned stuff that got “picked up” by a “new maintainer” and that’s how it happened.

        • Telorand@reddthat.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          26 days ago

          You’re only affected if you use the AUR. As far as I understand it, the core packages themselves are fine, so this is more of a MitM attack, where somebody compromised the package download streams

            • Telorand@reddthat.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              26 days ago

              How is it not? They didn’t take over the core projects, they took over the midstream distribution.

              • northernlights@fedia.io
                link
                fedilink
                arrow-up
                6
                ·
                26 days ago

                A MitM attack defines the attack technique, not the target. It’s when the target wants to connect to something but it connects through you first, and you forward while collecting/altering data. My question was about the attack used. But yeah, a mass takeover of everything orphaned would do it.