You must log in or register to comment.
The title is misinformation. It should be “someone made a RAT downloadable on Arch Linux” because the Arch User Repository (AUR) ≠ official repository. From the Arch wiki:
The Arch User Repository (AUR) is a community-driven repository for Arch Linux users. It contains package descriptions (PKGBUILDs) that allow you to compile a package from source with makepkg and then install it via pacman. The AUR was created to organize and share new packages from the community and to help expedite popular packages’ inclusion into the extra repository. This document explains how users can access and utilize the AUR.
A good number of new packages that enter the official repositories start in the AUR. In the AUR, users are able to contribute their own package builds (PKGBUILD and related files). The AUR community has the ability to vote for packages in the AUR. If a package becomes popular enough — provided it has a compatible license and good packaging technique — it may be entered into the extra repository (directly accessible by pacman or from the Arch build system).
Warning: AUR packages are user-produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.
I’m not quite sure why I keep seeing this news in various forms, yet Flathub gets fair crypto wallets and that only shows up on my feed once.
There’s a RAT in Arch Linux (because someone made one downloadable in the Arch User Repository) is about the same level of non-sense as telling the story of how Windows ships with hundreds of viruses because those can indeed be freely downloaded as .exe-files from the Internet which you can access via Windows. 🤣
Now that I think about it… It’s even worse. You cannot actually get an AUR package without explicitly installing the tools to get them (and most likely reading the disclaimers and warnings for using the AUR on the way), while you can can in fact download and execute malicious content with the pre-installed Windows tools.
I’m not sure that just removing the package will remove the RAT too.
It was AUR. The way AUR works is that there is a PKGBUILD file that tells pacman how to compile a package from scratch. It can be created in a way where nothing gets compiled, only precompiled binary is downloaded (like from github releases). So it was not a package in purely Arch sense. With those PKGBUILDs out from AUR, malicious binaries only sit on their github, or wherever those were hosted, and are not reachable via alternative package managers (pacman, the official one, doesn’t offer AUR at all)
Yes but I think the commenter is saying that if a person had installed this package, removing the package in the package manager is probably insufficient to remove the infection from the machine.
Ah. Yeah, nuke it from orbit. Since this was RAT, so it had local execution powers and the attackers knew exactly which distro they are targetting, they could have used some security vulnerability to get root and even replace the kernel in worst case. Hopefully not microcode insertion, so hardware could be ok
But then, it wasn’t an attack on an existing package. So the question is how many people did actually download those
