Why you shouldn't update your AUR packages blindly right now. (or ever)

[00:00:00]Let's take a minute to talk about what is currently going on with the AUR. A couple of days ago, there was an initial report of about 400 orphan packages that had been taken over and given a kind of nefarious dependency called the atomic lock file. The gist of this whole situation is pretty interesting. This has nothing to do with Arch itself, but rather the nature of the AUR. When a package is abandoned or orphaned, maintainers have the opportunity to kind of take it on by themselves. And this is the behavior that's actually being exploited. About 400 packages were left unattended and these kind of bad actors got involved and they added a kind of secret npm dependency to some packages that you may not be suspecting. Users unaware of the problem updating packages from the AUR, whether it's a dependency or the package itself may have been compromised in this situation. Affected users now have a credential stealer potentially. Among other things, if your AUR helper was run as root, it gets a whole lot worse. But generally speaking, this spiraled out of control pretty quickly. The initial reports claimed about 400 affected packages. By the end of that first day, it was about 1,500.

[00:01:10]The next day, by middle of the afternoon, the arch maintainers had said that we were all clear. All the kind of affected packages, at least at the time, had been recommenered and were considered safe. Later that night, a kind of second wave of this came. Rather than using npm as the attack vector, now it's using bun. I honestly at this moment don't know how many packages are affected. I don't know how many will be.

[00:01:35]My general kind of advice here is to avoid the AUR for a little while unless you're ready to kind of strictly vet all of your packages. Not trying to fear-monger or steer anyone in any specific direction, but just based on the kind of rapid evolution and the persistence of this situation. I do advise caution and here's some steps that you can take if you think that your system may be affected. Even if it's not, it probably doesn't hurt to check.

[00:01:59]First good step is going to be checking for any packages outside of your kind of core Arch repositories. So this is going to be anything that you've done a package build for or used an AUR helper.

[00:02:10]Check and compare against the affected packages list. that are being actively maintained. If you have been affected, installed any of these packages, then the steps are pretty simple. First thing, rotate your secrets, change your passwords for connected accounts, you should assume that your information has been compromised. Additionally, I would probably recommend a fresh install as just deleting these packages is not going to be enough for removing the atomic lock file or any of the kind of things that it's up to otherwise. This is a pretty interesting situation. I think that there's kind of a lot of noise going around with this. I think to a more casual user, this is potentially kind of detrimental to Arch's reputation right now, despite the fact that this has nothing to do with the core project and rather safe behavior in community spaces like the AUR.