I wasn't hit according to the public script but I am definitely rethinking my use of Arch and most certainly refraining from the AUR as much as possible going forward. This is far too many events in such a small period of time for me.
I feel like this always happens to npm specifically. They're definitely doing something wrong 💀
Could happen with pip too.
it's the way it's been setup; it needs a thorough revamping to make it as resilient as other supply chains.
not that other chains are bullet proof, it's just that npm people need to up their game to be atleast as good as the others.
To potentially prevent this entire class of npm attacks in the future, you could edit
/etc/pacman.conf, uncomment
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg =
And set it to IgnorePkg = npm
Your system should prompt you to accept installing npm because it's in the ignore list. These packages set it as a dependency, so that gives you a chance to notice that something's off and refuse the install. This assumes you don't already have npm installed or need it for some reason.
edit: word is that bun command is being abused as well and may be worthwhile including in the space separated list:
IgnorePkg = npm bun
I want to call to your attention this article by Marcus Ranum titled "The six dumbest ideas in computer security" and within it, the section #2 on "enumerating badness".
This is what you try here.
To be fair, basic checks should be done not just make account and in next 10 seconds accept abandoned package and publish malware.
Me, a Debian user watching that shitshow 😎
Me, an Arch user (btw), watching the NPM chaos on any distro...
Me an arch user who hasn't booted their computer in over a week 🙂
That's okay, just be very careful updating rather manually.
attempt to download npm-based payloads during installation
Why npm and not python? It's installed on every arch system and wouldn't bring unnecessary attention 🤷
Because the NPM is a complete mess and it's super easy to exploit for supply-chain attacks by sneaking malware into one of the billion dependencies required by most popular packages.
But if you look at some of the packages, they explicitly added npm as a new dependency. It'd be much easier to sneak in a python script.
AUR "packages" are just a recipe file that runs some commands that sources packages from somewhere else and builds them then puts them in the format required by the AUR package manager.
Normally it's a source tarball downloaded directly from the project's Git repo. But it can also fetch and install a binary package (for closed source software). Or it can install Node modules, or Python modules etc.
Point is, you can't inject a script directly in AUR itself. You could add the malicious code directly to the recipe file but it would be obvious. You could also download a zip with the malware directly, but it would also be obvious.
So what they do is add the malware to modules published on another platform, and they're downloaded indirectly, as a dependency of the Nth grade.
It's very hard to detect, you can't really notice this kind of attack with a glance at the recipe.
I see. Thanks for the explanation.
this is like the 4th npm vulnerability in months, they used that because npm is shit and easy to exploit
What a terrible article.
"Multiple" packages mentioned in the title, but they're unable to actually name more than one in the article...
//edit
Actually, they did leave a link to the mailing list thread at the very end.
I should learn to read the entire article...
I was wondering why you felt that way 😅 Usually this source produces good content lol
That's another reason I like cachyos: they have a curated list of aur pkgs in their repo.
I too use CachyOS. But i am very new to it. Why are we more 'protected' than straight up Arch users? I like Cachy, but have a gripe with how some applications behave, especially Java based Apps, that have a native installer in AUR (not building from source). I have one application that is built in JAVA, and the text is so freaking small, all the pop-up windows open on the wrong place which makes the pointer inaccurate etc. But I digress. The question was more why should we feel more relaxed than the Arch guys and gals?
It's like having a "double check" from a trusted source, they compile selected stuff from the aur so I suppose it's a little more safe for the random user.
This is propably because app does not support fractional scaling. Some apps that does not support fractional scaling will either not be scaled (rendered at native display resolution), or scaled by system (will look blurry because window resolution does not match display resolution).
That makes sense. What is weird though is the dev wrote the app for multiple platforms, including Debian, RPM-based and a few others. So it not like it is one of those ‘compile only from source and good luck to yah’ kinda apps.
But thank you for the response. I do appreciate you taking the time!
.... how do i make npm generally not work on Linux? I don't use it and with how attack vectors are the majority of cases via NPM... and can be shipped as a binary to .
Environment variables pointing to /dev/null? Application firewall? Or would just blocking some domain/IP suffice?
sudo {package-manager} remove npm nodejs sudo {package-manager} purge npm nodejs
npm: sudo tee /usr/local/bin/npm >/dev/null <<'EOF' #!/bin/sh echo "npm is blocked on this system." exit 1 EOF
sudo chmod 755 /usr/local/bin/npm
npx: sudo tee /usr/local/bin/npx >/dev/null <<'EOF' #!/bin/sh echo "npx is blocked on this system." exit 1 EOF
sudo chmod 755 /usr/local/bin/npx
Might break somethings but that's a part of boycotting something I guess.
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0