168
The security situation with the Arch Linux AUR got a lot worse
(www.gamingonlinux.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 14 Jun 2026
168 points (94.7% liked)
Linux
65851 readers
774 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
The command
pacman -Qmwill display every package from the AUR on your system. You can then search the list of compromised packages.To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I'll run it just to check and sometimes it finds packages.
When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they'll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they'll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they'll just sit unused on your install. If you haven't tried -Qm in a long while you'll probably find a few harmless currently-unused packages that were installed through the normal repos. (-Qdt will cover the other cases where dependencies remain in the repos but are now only needed for packages you don't have installed.)
Obviously -Qm will also show removed packages that aren't dependencies, a few years back my preferred pdf viewer was removed from the repositories.
-Qm will also find manually installed packages that aren't in the AUR if you ever do that.
And don't forget that a system compromise means you need to re-install all in order to re-gain control of your system. Without the malware of course.
Edit: I see downvotes... Some people don't seem to understand why running malware permanently destroys a system's integrity. I do not have more time today - can somebody explain for me why?
Here are some scripts that can help too
(Edit: apparently i need to say to read and understand what these scripts are doing before running them. If you don't understand what you're running then don't run them) https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14
You suggest people to run more untrusted code in order to fix malware from untrusted code?
Is this a joke?
I haven't checked the scripts from OP, but i think there is a script that is provided by the CachyOS team that basically just contains a list of compromised packages and compares that to your pacman -Qm output. If it finds a match, it tells you that the compromized package X is on your system. That seems pretty reasonable.
I get your point and as always, you should check the source of the script as well as the code inside of it. Never installing anything outside of official OS repositories is probably not an option for most people. There are always pros and cons. Like in my example maybe some OS maintainers know more about the affected packages than I do with a quick search. On the other hand, the script might be outdated because the number of packages changed a lot over the last few days.
So, the CachyOS maintainers suggest running untrusted code?
Noice. I don't need to know more.
In which way is it untrusted? If you use CachyOS, you use their binaries, that could contain anything at all inside of them. Do you draw the line at a shelll script you can read yourself?
You can just check it and it wouldn’t be untrusted anymore…
You could inspect the script, it should be a one line shell command
I don't use CachyOS nor do I know anything about their team and I haven't used the script either. My point was just that I would trust OS maintainers more than some random guy on the internet.
I have checked again and it seems the script I was referring to was actually from a mod on their community forum. Not sure if this is a maintainer as well or not.
My point still stands, if you trust the source and checked the code that nothing shady is going on, it is perfectly fine to run a script. Even if it is just an additional check after you cleaned it manually. Maybe you have missed something.
You are right that the distribution as it provides binary code is a trust root. If you can't trust them, you have nothing to stand on.
I had the impression that CachyOS suggests to use AUR packages - maybe I am wrong here?
And if CachyOS is (what I am just assuming) geared towards less technical users, can you really expect their average user to examine shell scripts from a forum post?
How do their users even know that the post and its author is legitimate? Are they supposed to check PGP keys?
You can call that paranoid but there is a reason why distributions use packkage signing, publish webs of trust, and why the Guix developers even worked hard to reduce the binary bootstrapping code for the distro down to 512 bytes - it is a consequence of the "trusting trust" problem posed by Ken Thompson that the more stuff is opaque, the more trust is needed.
I have no idea about the stance of CachyOS on AUR packages.
I totally agree with you, establishing trust is not an easy problem. I don't expect the average joe to understand shell scripts. I would put myself in that categorie as well. This one however was simple enough that it seemed okay to me. If I don't understand what's going on in a script I am really careful and try to avoid it, if possible. I still wouldn't consider them universally bad. For some things it is even the recommended install option. I vaguely remember some things in the Raspberry Pi universe ( IIRC this was even the case for Docker in the past).
There are multiple factors which can lead to trust. Maybe you know the CachyOS forum and how well it is maintained. How old is the account etc.. But as you said, there are always risks. The account could be compromized as well. But most of that isn't specific to shell scripts or Linux in general. You shouldn't install an application from some shady website in Windows either.
What is your recommended way to deal with the current situation?
What do you think this does, in bash:
I appreciate your effort and really enjoy the discussion. Most of your suggestions are probably a good idea for the future, but they are not really a solution for a potentially infected system right now.
You can pull out the big gun as well and purge all AUR packages entirely or even reinstall your system, but their might be an easier solution.
Without looking it up, I wouldn't have had a clue. It looks somewhat purposefully obfuscated but used in the right context, I am not sure I would have picked up on it. Maybe you are right and I should reconsider my approach.
The only solution for an infected system is to re-install it from scratch, because the integrity of the system is broken. And without any AUR packages, because they can't be secured in the current form.
They are the source of the code... They are a trusted source so the code... Is trustable code.
How are you this fucking stupid. Or do you think the cachy team is a bunch of bad actors? At which point HOW ARE YOU THIS STUPID?!
Is it best to uninstall all the supporting files too. Semes like there is an option to do that.
Or just uninstall all AUR packages, instead of waiting for your ones to appear on that list, and having to re-install your full system to ensure its integrity.
I had more aur packages than I thought but none in the list. Is this just known ones and there could be more?
Of course. A compromised package can't be on the list if it's unknown. Hopefully not, but there's still a possibility