npm and python-nodejs-wheel both, but that’s only listed as a make dependency. That means it would only be required for building the package when installing and updating. If you already had balena-etcher installed and didn’t update it, you’d probably be “fine”.
However, if you look in the AUR page’s comment section, you’ll see that this package has been one hell of a mess for a while and I would have steered clear of it even in the best of times. If you absolutely must use this utility(and there are other reasons not to which I won’t get into), then I would instead download the precompiled x64 binary straight from their website.
Personally, I wouldn’t feel right at all if I’d installed the AUR package and take the same measures as if the worst had occurred. There’s just too many red flags.
Yeah I noticed that it was messy too around 15 days ago. Could this have been going on longer than was initially reported? It’s a fairly popular package and linked on their main GitHub page.
No they were not - that was made up and inserted and you have been rebutted about it every time.
If anything bin packages are more dangerous - which is a sort of known and settled concept. You know because you cannot inspect an already compiled binary.
For at least the 3rd time in this thread I will repeat and clarify that the majority of AUR packages adopted by Cachy are bin packages. This is simply true. I also have my opinions both about why this is (because its easier) and why it should not be (it provides little value).
Not once was it ever claimed that bin packages from the AUR were safer or immune from this kind of tampering.
No, its a few dozen, as we have also covered multiple times.
Also apparently? pacman is the standard.
No, that means python-nodejs-wheel was.
Though etcher itself is considered spyware and just absolutely humongous for its purported purpose.
Whatever updates have been applied to that PKGBUILD have been applied by the same account thats been updating it since 2024.
I also do not notice many major changes in any of the recent updates except things like shasums.
If someone had installed it or updated it during the period of reported compromise would it have also installed the compromised python-nodejs-wheel package?
Just to be extra clear - you never needed to avoid upgrading the system and/or official packages.
Only third party AUR packages were in question.
( Therefor if you rely on a GUI that combines both official and third party sources then maybe in those cases you would have wanted to disable that third party support .. and then maybe lacking that I suppose you would have wanted to wait it out - if your upgrades could not be anything but combined. )
Something like sudo pacman -Syu continued to be safe.
“Safe” is also relative to your own vigilance when it comes to AUR packages. Even if this particular attack has been contained and the perpetrators’ accounts banned, it still behooves you to check pkgbuilds when updating or installing from AUR.
True but that relativism cannot possibly apply to pacman because pacman does not support the AUR.
One should always pay attention to package exchanges, including upgrades, but no such considerations for PKGBUILDs need be taken into account when using pacman because it does not process PKGBUILDs. Only the repositories.
Nothing new as far as I can tell on the mailing lists or otherwise.
There was a short spat of some being hijacked by some random russian text added to the pkgbuild .. just troll graffiti really .. I do not think those even got added (they were reversed but not actually contaminated by anything besides the console messages).
Or depending on the news outlet they may be behind though. It would not be the first time nothing had actually changed recently and the idea of it being a new wave was just because they were slow to pick up the original information.
I noticed some of the high-jacked packages had NPM and some NPM packages added to them, I guess these attacks are in some way linked to the NPM supply chain attacks we’ve been having over the last few months?
There was use of a few slightly different techniques but they all hinged on adding some pretty obvious extra additions to the PKGBUILD utilizing something like npm or bun.
For example one of the earliest examples were things like npm install atomic-lockfile to post_install.
Later some others using bun would do something like bun add debug js-digest to post_install
etcetera.
They were all very similar and yes sometimes used something like a malicious package in the npm store - which in turn would get removed and they would use something else.
Another early comment from the first hours may help further illustrate;
It ended up not being quite as simple as always exactly npm install but not by a whole lot.
The string would vary a little but the method not so much.
Please don’t advise people to pipe a remote shell script from the internet into bash. Although I trust @cscs 100%, this is still a pretty dangerous advice for newbies, which we have a lot here.
The better idea is that longer command in the original post, which reads a text file and compares it to some pacman output.
