If I understand correctly the malicious payload acts during package build. Now I wonder: would using chrootbuild have saved the day in this case? I cannot find any comment about the effect on this issue of building in a chroot jail.
Posted Jun 13, 2026 0:10 UTC (Sat) by heftig (subscriber, #73632) [Link] (2 responses)
No; the malicious payload acts during package installation (post_install function running npm as root). So any system installing a compromised package will be compromised, but just building it does nothing.
Posted Jun 13, 2026 6:11 UTC (Sat) by callegar (guest, #16148) [Link] (1 responses)
Posted Jun 13, 2026 9:05 UTC (Sat) by mote (guest, #173576) [Link]
Thinking about this, as an AUR user I'm used to watching the build process abstractly flow by as you run updates. Adding the malware injection during build would probably get noticed a lot more/quicker as they were adding calls to run npm - builds would either fail (no npm installed, me) or they'd start sucking down unexpected artifacts (why is this python module doing npm things). Injecting it in the post-install logic hides it, where failures can be ignored.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。