Hundreds of orphaned packages in the Arch User Repository (AUR) have been compromised, with an attacker injecting a malicious npm dependency capable of exfiltrating sensitive data from affected systems.
The incident was reported by LWN.net, which cited a post by community member "sodiboo" containing additional information about the compromise. A list of affected packages has been published at gr.ht/aur_pkg_list.txt. The Arch Linux project is currently working to remediate the situation, with discussion taking place on the project's aur-general mailing list.
What Happened
The compromised packages — all orphaned, meaning they had no active maintainer — were modified to include a dependency on atomic-lockfile, an npm package designed to exfiltrate data from users' machines.
The AUR is a community-maintained repository of package build scripts that allows Arch Linux users to install software not available in the official repositories. Unlike the official repos, AUR packages are not subject to formal vetting before publication, and the project has long stated that users are responsible for reviewing build scripts and dependencies before installation.
The incident is notable for its cross-ecosystem nature: the malicious payload was delivered not through a native Arch mechanism but through an npm package pulled in as a dependency. Similar supply-chain attacks have previously targeted language-specific registries including npm, PyPI, and crates.io, demonstrating that compromised packages in one ecosystem can affect downstream projects in others.
The Arch Linux project is currently working to clean up the affected packages, though specific remediation steps and timeline have not been publicly detailed.
Arch 用戶軟件庫(AUR)中有數百個孤兒軟件包遭到入侵,攻擊者注入了一個能夠從受影響系統中竊取敏感資料的惡意 npm dependency。
此事件由 LWN.net 報導,當中引用了社群成員「sodiboo」一篇包含更多入侵詳情的帖子。受影響軟件包的列表已於 gr.ht/aur_pkg_list.txt 公開。Arch Linux 項目目前正在努力處理受影響的軟件包,相關討論正於項目的 aur-general 郵件列表上進行。
事件經過
受入侵的軟件包均為孤兒軟件包——即沒有活躍維護者的軟件包——它們被修改為引入一個名為 atomic-lockfile 的 npm 軟件包作為 dependency,該軟件包可從用戶機器中竊取資料。
AUR 是一個由社群維護的軟件包 build 腳本庫,允許 Arch Linux 用戶安裝官方軟件庫中未提供的軟件。與官方軟件庫不同,AUR 軟件包在發布前無需經過正式審核,項目長期以來亦表明用戶有責任在安裝前自行審查 build 腳本及 dependency。
此事件的顯著之處在於其跨生態系統的特性:惡意負載並非通過 Arch 原生機制傳遞,而是通過一個被引入作為 dependency 的 npm 軟件包傳播。類似的供應鏈攻擊此前已曾針對包括 npm、PyPI 及 crates.io 在內的語言特定軟件包 registry,證明一個生態系統中被入侵的軟件包可以影響其他生態系統中的下游項目。
Arch Linux 項目目前正在清理受影響的軟件包,惟具體處理步驟及時間表尚未公開說明。