[Slackbuilds-users] Arch User Repository compromise
Willy Sudiarto Raharjo
willysr at slackbuilds.org
Fri Jun 12 05:49:00 UTC 2026
>It seems there have been a few SBo updates pushed lately not by the
>actual maintainers too (and maybe others that maintainers might have
>even missed)... probably we need some GPG-style identity verification?
>
>On Fri, 12 Jun 2026, at 3:41 AM, jay wrote:
>> Hi all,
>> the Arch User Repository (AUR, basically Arch Linux' SBo) has been
>> used as a malware (infostealer) vector today.
>>
>> I'm posting this to say we should be extra vigilant with the work of
>> new maintainers taking over packages at this time. I propose the
>> admins should ask the list if they're not sure about a submission or
>> don't have the capacity to sufficiently check it.
>>
>> mode of operation:
>> > The newest maintainer for the alvr AUR package has made a commit
>> that
>> adds npm packages to what is quite clearly not a npm project. As
>> well as
>> replaced the email addresses of previous maintainers with their own
>> while keeping the same name as the latest committer. More can be
>> seen from the comments of various users since this update has been
>> pushed.
>> –https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/2LGBF2AZBPVCCY4VTN6DOVUNNBURFJ2J/
>>
>> more info:
>> https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/
Thanks for the info
we are aware of such situation, but unless we force all maintainers to
submit updates via github/gitlab, this kind of situation is easy to
reproduce, since you just need to know maintainer's email in order to
submit a new updates on behalf of the original maintainer.
Another thing is that we do weekly updates, so everyone can review the
current week's progress in https://slackbuilds.org/ready/ before it's
merged.
--
Willy Sudiarto Raharjo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20260612/47bcbb69/attachment.asc>
More information about the SlackBuilds-users
mailing list