A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
Ironic, given the name.
I’m very new to Arch so I’m still confused as to where I stand. Hopefully I haven’t been pwned. Sadly, my distro includes AUR packages by default.
My distro (Garuda) included a couple back when I originally installed it, but doesn’t use them currently (namely wine-nine - which was affected) but the built-in system update didn’t touch AUR unless you explicitly tell it to, so that saved my bacon in this situation (my AUR packages hadn’t been updated in 2 months).
How do I check to see if that’s the case for me too?
As I showed above, I also had wine-nine, but I can’t tell if that log is listing all the times wine-nine was updated or all the times I updated with wine-nine installed.
I’m leaning toward the latter given it was just listing
wine-nine 0.10-1repeatedly, implying it never updated past that in the dangerous period, right?I am not at home (and work is stuck on windows) so I can’t verify with 100% certainty… But I believe what I did was pacman -Qm to list the AUR packages. Then I did pacman -Qi <package_name> to list the details about why it was installed, what dependencies it has, what depends on it, and when it was last updated. Mine showed like 2 years prior (whenever I installed the OS) because there hadn’t been any update to it in years (until the attack). If your date for last updated is recently, you probably have a problem.