[Slackbuilds-users] Arch User Repository compromise
David O'Shaughnessy
lists at osh.id.au
Fri Jun 12 04:35:19 UTC 2026
It seems there have been a few SBo updates pushed lately not by the actual maintainers too (and maybe others that maintainers might have even missed)... probably we need some GPG-style identity verification?
On Fri, 12 Jun 2026, at 3:41 AM, jay wrote:
> Hi all,
> the Arch User Repository (AUR, basically Arch Linux' SBo) has been used
> as a malware (infostealer) vector today.
>
> I'm posting this to say we should be extra vigilant with the work of new
> maintainers taking over packages at this time. I propose the admins
> should ask the list if they're not sure about a submission or don't have
> the capacity to sufficiently check it.
>
> mode of operation:
> > The newest maintainer for the alvr AUR package has made a commit
> that
> adds npm packages to what is quite clearly not a npm project. As well
> as
> replaced the email addresses of previous maintainers with their own
> while keeping the same name as the latest committer. More can be seen
> from the comments of various users since this update has been pushed.
> –https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/2LGBF2AZBPVCCY4VTN6DOVUNNBURFJ2J/
>
> more info:
> https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/
More information about the SlackBuilds-users
mailing list