r/cachyos

As the title states, the Arch AUR has been hit by a huge malware infection campaign over the last couple of days. There's an earlier post referring to alvr. That's not the only package it's hundreds of them, many of them Aur packages average people would install like apple-music-desktop.

More are still being found this list is not complete.

Since CachyOS enables the AUR by default and makes use of it in Shelly GUI this is a big problem, with potentially thousands of people affected.

I don't have the full details of the scope of the malware campaign. I know it's a credential stealer so it steals ssh keys and browser login info and apparently has rootkit potential.

This was widespread and targeted orphaned packages. Aur for some reason allows other people to take over existing projects.

I don't have many more details, other people will have more information to provide.

The bottom line is if you used the aur over the last couple of days you may have been infected and the problem with taking over orphaned packages I believe remains. I personally would not use the Aur for the foreseeable future, and ideally not at all. It's a security risk.

Do your due diligence in finding out more, hopefully others will provide more details and easy to understand information.

Edit 2: I'm going to leave this issue to others. I've removed links to the package lists/scripts. You can keep up to date by referring to the CachyOS forums on the issue.

Attacks are still ongoing. A new one was just discovered again today, though it doesn't look as widespread. Stay vigilant with the AUR and be careful with running scripts you don't understand.