1. Forum
  2. Newsgroups
  3. comp.os.linux.advocacy

  • Re: Arch's AUR sees more than 400 packages compromised with malware

    From rbowman@[email protected] to comp.os.linux.advocacy on Sat Jun 13 20:45:20 2026
    From Newsgroup: comp.os.linux.advocacy

    On Sat, 13 Jun 2026 07:02:29 -0400, CrudeSausage wrote:

    On 6/13/26 12:22 AM, rbowman wrote:
    On Fri, 12 Jun 2026 21:08:12 -0400, CrudeSausage wrote:

    The Arch Linux User Repository "AUR" was hit by a large-scale malware
    campaign this week with more than 400 of these user-supplied packages
    being compromised.

    Good thing I went from EndeavourOS, which uses AUR, to Leap 16 a couple
    of weeks ago. AUR always did have a warning sticker attached.

    To be honest, the AUR was part of what made EndeavourOS so attractive to
    me in the first place. At this point, I'll be content to use whatever is
    in the distribution's repository, Flatpaks or Snaps. I imagine that the
    last two are monitored sufficiently enough to avoid such malware issues.

    AUR is handy with yay to automate the build process or to pull in the apps that have a bin variant. The downside is what happened. PyPi, GitHub, npm,
    and other repositories have had similar problems.

    https://www.wired.com/story/teampcp-software-supply-chain-attack-spree-
    github/

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From pothead@[email protected] to comp.os.linux.advocacy on Sun Jun 14 00:31:05 2026
    From Newsgroup: comp.os.linux.advocacy

    On 2026-06-13, rbowman <[email protected]> wrote:
    On Sat, 13 Jun 2026 07:02:29 -0400, CrudeSausage wrote:

    On 6/13/26 12:22 AM, rbowman wrote:
    On Fri, 12 Jun 2026 21:08:12 -0400, CrudeSausage wrote:

    The Arch Linux User Repository "AUR" was hit by a large-scale malware
    campaign this week with more than 400 of these user-supplied packages
    being compromised.

    Good thing I went from EndeavourOS, which uses AUR, to Leap 16 a couple
    of weeks ago. AUR always did have a warning sticker attached.

    To be honest, the AUR was part of what made EndeavourOS so attractive to
    me in the first place. At this point, I'll be content to use whatever is
    in the distribution's repository, Flatpaks or Snaps. I imagine that the
    last two are monitored sufficiently enough to avoid such malware issues.

    AUR is handy with yay to automate the build process or to pull in the apps that have a bin variant. The downside is what happened. PyPi, GitHub, npm, and other repositories have had similar problems.

    https://www.wired.com/story/teampcp-software-supply-chain-attack-spree- github/

    I tried to install Arch once.
    It was a failed experiment but I did learn some things which is good.
    I'm using MxLinux and for me it checks all the boxes.
    The MXTools are excellent and it gets updated frequently.

    This is one reason why I use Linux exclusively. I have so many choices
    and if one doesn't work for me, there are plenty more to try.
    --
    pothead

    "Often imitated, never duplicated."

    "Socialism is the philosophy of failure,
    the creed of ignorance, and the gospel of envy.
    It's inherent virtue is the equal sharing of misery."

    -- Winston Churchill




    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From rbowman@[email protected] to comp.os.linux.advocacy on Sun Jun 14 01:14:59 2026
    From Newsgroup: comp.os.linux.advocacy

    On Sun, 14 Jun 2026 00:31:05 -0000 (UTC), pothead wrote:


    I tried to install Arch once.
    It was a failed experiment but I did learn some things which is good.
    I'm using MxLinux and for me it checks all the boxes.
    The MXTools are excellent and it gets updated frequently.

    EndeavourOS uses a modern installer but you ultimately wind up with the
    Arch repos. For kicks I tweaked fastfetch to use the Arch logo and OS.

    I just put MX/Xfce up in a virt-manager VM. I'm impressed. I've used Xfce before but it seemed plain vanilla and clunky. I don't have strong
    feelings but I selected SysVinit. I moved the panel to the bottom and
    tweaked the terminal to my preferred colors and it looks like home. The default themes etc are fine.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From pothead@[email protected] to comp.os.linux.advocacy on Sun Jun 14 01:53:34 2026
    From Newsgroup: comp.os.linux.advocacy

    On 2026-06-14, rbowman <[email protected]> wrote:
    On Sun, 14 Jun 2026 00:31:05 -0000 (UTC), pothead wrote:


    I tried to install Arch once.
    It was a failed experiment but I did learn some things which is good.
    I'm using MxLinux and for me it checks all the boxes.
    The MXTools are excellent and it gets updated frequently.

    EndeavourOS uses a modern installer but you ultimately wind up with the
    Arch repos. For kicks I tweaked fastfetch to use the Arch logo and OS.

    I just put MX/Xfce up in a virt-manager VM. I'm impressed. I've used Xfce before but it seemed plain vanilla and clunky. I don't have strong
    feelings but I selected SysVinit. I moved the panel to the bottom and tweaked the terminal to my preferred colors and it looks like home. The default themes etc are fine.

    I think I must have 10 different DE in my boot menu. I even installed
    fwvm after someone spoke of it. Yes I know it's ancient but I thought
    I would take a look. Not for me but others might enjoy it.

    A good thing about MXLinux is when you install a new DE, say xfce, the menues all get updated and aside from the look and feel, all the same stuff is there including any custom programs you installed.

    It's the first time I have ever seen this work seamlessly.

    IMHO MXLinux is THE distro to use if you want to try just about every
    DE available and have it all work.
    Nice.
    --
    pothead

    "Often imitated, never duplicated."

    "Socialism is the philosophy of failure,
    the creed of ignorance, and the gospel of envy.
    It's inherent virtue is the equal sharing of misery."

    -- Winston Churchill




    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From rbowman@[email protected] to comp.os.linux.advocacy on Sun Jun 14 06:31:22 2026
    From Newsgroup: comp.os.linux.advocacy

    On Sun, 14 Jun 2026 01:53:34 -0000 (UTC), pothead wrote:

    On 2026-06-14, rbowman <[email protected]> wrote:
    On Sun, 14 Jun 2026 00:31:05 -0000 (UTC), pothead wrote:


    I tried to install Arch once.
    It was a failed experiment but I did learn some things which is good.
    I'm using MxLinux and for me it checks all the boxes.
    The MXTools are excellent and it gets updated frequently.

    EndeavourOS uses a modern installer but you ultimately wind up with the
    Arch repos. For kicks I tweaked fastfetch to use the Arch logo and OS.

    I just put MX/Xfce up in a virt-manager VM. I'm impressed. I've used
    Xfce before but it seemed plain vanilla and clunky. I don't have strong
    feelings but I selected SysVinit. I moved the panel to the bottom and
    tweaked the terminal to my preferred colors and it looks like home. The
    default themes etc are fine.

    I think I must have 10 different DE in my boot menu. I even installed
    fwvm after someone spoke of it. Yes I know it's ancient but I thought I
    would take a look. Not for me but others might enjoy it.

    A good thing about MXLinux is when you install a new DE, say xfce, the
    menues all get updated and aside from the look and feel, all the same
    stuff is there including any custom programs you installed.

    It's the first time I have ever seen this work seamlessly.

    IMHO MXLinux is THE distro to use if you want to try just about every
    DE
    available and have it all work.
    Nice.

    I'll remember that. I've hit some weirdness installing different DEs. i3
    and sway work though with i3/Cinnamon on Mint I learned to stay away from Cinnamon stuff. I vaguely remember fvwm.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From CrudeSausage@[email protected] to comp.os.linux.advocacy on Sun Jun 14 08:48:58 2026
    From Newsgroup: comp.os.linux.advocacy

    On 6/13/26 4:45 PM, rbowman wrote:
    On Sat, 13 Jun 2026 07:02:29 -0400, CrudeSausage wrote:

    On 6/13/26 12:22 AM, rbowman wrote:
    On Fri, 12 Jun 2026 21:08:12 -0400, CrudeSausage wrote:

    The Arch Linux User Repository "AUR" was hit by a large-scale malware
    campaign this week with more than 400 of these user-supplied packages
    being compromised.

    Good thing I went from EndeavourOS, which uses AUR, to Leap 16 a couple
    of weeks ago. AUR always did have a warning sticker attached.

    To be honest, the AUR was part of what made EndeavourOS so attractive to
    me in the first place. At this point, I'll be content to use whatever is
    in the distribution's repository, Flatpaks or Snaps. I imagine that the
    last two are monitored sufficiently enough to avoid such malware issues.

    AUR is handy with yay to automate the build process or to pull in the apps that have a bin variant. The downside is what happened. PyPi, GitHub, npm, and other repositories have had similar problems.

    https://www.wired.com/story/teampcp-software-supply-chain-attack-spree- github/


    At least the malware was built in Rust! <https://lunduke.substack.com/p/rust-based-malware-hits-14-of-arch>

    Still, I've decided to remove additional repositories in Ubuntu and
    decided to rely on Snap versions of the software I want. Unless I know
    for sure that a repository was created by the publisher of the software
    and that it was recommended as the best way to install a program (like
    Brave), I'd rather just get a version I know is monitored.
    --
    CrudeSausage
    Zephyrus G14 2021 running on Ubuntu 26.04
    --- Synchronet 3.22a-Linux NewsLink 1.2