惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Latest
Security Latest
Recorded Future
Recorded Future
人人都是产品经理
人人都是产品经理
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
量子位
L
LINUX DO - 热门话题
L
Lohrmann on Cybersecurity
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Tor Project blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
T
Threatpost
T
Tenable Blog
有赞技术团队
有赞技术团队
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
C
Cisco Blogs
H
Heimdal Security Blog
Attack and Defense Labs
Attack and Defense Labs
A
About on SuperTechFans
Last Week in AI
Last Week in AI
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
I
Intezer
V
V2EX
Cyberwarzone
Cyberwarzone
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
T
The Blog of Author Tim Ferriss
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
U
Unit 42
PCI Perspectives
PCI Perspectives
P
Privacy International News Feed
D
Docker

Latest news

Why I'm recommending last year's phones over 2026 models - with one exception This powerful Gemini setting made my AI results way more personal and accurate After testing this HP laptop, I get why its 'boring' design is adored by business users The best TV antenna of 2026: Expert tested Your old iPad or Android tablet can be your new smart home panel - here's how Apple's original AirTag still tracks effectively, and you can get a 4-pack for its best price ever How to qualify for Apple's education discount - and get a $499 MacBook Neo for school T-Mobile will give you a Samsung Galaxy Watch 8 for free - how to get yours Prolonged AI use can be hazardous to your health and work: 4 ways to stay safe Verizon will give you a free iPad or Apple Watch with your next iPhone - how the deal works The best laptops of 2026: Expert tested and reviewed I hid 4 Bluetooth trackers (including AirTags) to test their reliability - here's how Android rivals compared I stopped using my iPhone's hotspot after testing this 5G router - and that won't change The best Kindles in 2026: Expert recommended Does Best Buy price match? Everything to know about matching prices online and in-store The best WordPress hosting services of 2026: Expert tested and reviewed The best Apple Watch of 2026: Expert tested and reviewed The best TV screen cleaners of 2026: Expert recommended The best 50-inch TVs of 2026: Expert tested I traded my Sonos Era 300 for Denon's new home speaker - and see no reason to go back AI-powered website builders have come a long way - here's your best option in 2026 Amazon just slashed $250 off the Google Pixel 10 - and a Prime subscription isn't required I found the apps slowing down my PC - how to kill the biggest memory hogs These companies are actually upskilling their workers for AI - here's how they do it Verizon will give you Meta Ray-Bans for free with this Fios Internet deal - how to get yours I tried the new Gemini app for Mac - it has one major advantage over the web version How Google's updated AI Mode will ease your tab clutter when you search Why this MagSafe battery pack is our readers' favorite model right now - especially at its price T-Mobile will give you a Google Pixel 10a for free - plus an extra gift OpenAI's Codex Desktop can run your computer now - and has its own browser Want to build a startup that gets acquired? This founder shares 5 proven tips Google to pay $135M settlement to Android phone users - how to claim your share if you qualify Want to stand out on LinkedIn? Try this career strategist's top 3 tips for strengthening your profile I've used Dell's new XPS 16 for a week, and it's the Windows laptop to beat in 2026 You can get 50% off YouTube Premium for 1 year right now - but the deal ends soon Tidal vs. Qobuz: I tried both hi-res streaming services, and they couldn't be more different This stroller turns into a carry on-suitcase, and I recommend it for traveling parents The best small business VoIP providers of 2026: Expert tested and reviewed Protect your devices with our pick for the best antivirus software, now over 60% off MacBook Neo vs. Surface: Why spiraling RAM prices are bruising Microsoft's PC business but not Apple's I tried Google's new desktop app for Windows, and I'll never search the old way again Microsoft's Windows 11 laptop deal for students comes with a $500 bonus - what's included You can buy an LG B5 OLED for $1,500 off at Best Buy - and it comes with a free 4K TV Why Zorin OS 18.1 is simply the best Linux distro - for anyone Why Netgear just got the first FCC router ban exemption in the US Microsoft's latest Windows update now confirms if your PC is Secure Boot-protected - how it works Can this $70 Linux app make up for the lack of Photoshop? I tried it to find out 'Like handing out the blueprint to a bank vault': Why AI led one company to abandon open source iPhone charging slowly? 6 quick fixes to try before blaming your battery Roku TV vs. Fire Stick: Why I'm looking beyond streaming resolution when comparing the two AI is getting better at your job, but you have time to adjust, according to MIT The best internal communication tools of 2026: Expert tested and reviewed Half of all US employees use AI at work now - and waste almost 8 hours a week doing it The latest Google Home update brings Gemini fixes that I'm actually excited to try again I've been subscribed to a data removal service a month now - what I wish I knew sooner You can use Linux 7.0 on these 7 distros today - here's what to expect How I share audio from my Android phone to multiple earbuds (and why it's a big deal) Why the Apple Watch's 20-minute calibration test is worth your time - especially if you're data curious Meta is selling refurbished Ray-Bans for as low as $197 right now - but they're going fast Setting a MagSafe charger on my nightstand was the iPhone upgrade I didn't know I needed I swapped my Sony WH-1000XM6 for lower-end JBL headphones, and they still sounded great I tested ChatGPT Plus vs. Gemini Pro to see which is better - and if it's worth switching I used the 'Plus Five' rule to fix my iPhone's slow wireless charging - here's how it works The new rules for AI-assisted code in the Linux kernel: What every dev needs to know 'Job seekers have to be detectives': 3 signs that listing is a scam How the latest Netrunner distro delivers a Linux productivity powerhouse This Linux distro offers an easy DNS switcher - but there's more to it that I like I tested Artix Linux: An enjoyable systemd-free distro for experienced users (and ChromeOS speeds) I spent two years testing wind power at home - here's why solar is still my preferred source I camera-tested the Samsung Galaxy S26 Ultra with Oppo and Xiaomi - this model won it for me How I boosted my portable solar panels' power by up to 30% - 11 expert-approved tips I see why Ubuntu 26.04 is more than just a performance bump for thrill-seeking gamers France is ditching Windows for digital sovereignty - and its new Linux stack is taking shape KDE Linux is the purest form of Plasma I've used in months - but there's a catch LG C6 vs. LG C5: Why the 2025 model is still the smarter OLED TV model buy for me How I disabled 'fast startup' on my Windows 11 laptop to stop overnight battery drain 30 years later, I returned to Enlightenment Linux to test the Elive beta - and it's much better Here's my favorite email trick for cleaning up inbox clutter - automatically The $30 Google TV stick may be the budget Chromecast successor we've been waiting for The best AR and MR glasses in 2026: Expert tested and reviewed This handy electric screwdriver is now 50% off - here's where to snag the deal This Ryobi yard essentials bundle packs a free power tool - how to get yours After trying these boomless headphones in the office, I'm feeling hopeful for the future of work tech I used this EcoFlow battery to run my 3,000-sq-ft home in a blackout - here's how it kept my AC on Microsoft's Windows Insider Program is no longer a confusing mess Forget Shokz: I tried the Suunto Spark earbuds for a month, and they've sold me on air conduction iOS 26.4 brings essential upgrades to your iPhone - including a vital security fix YouTube Premium is getting a price increase in June - but you can save $32 with one change Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now I walked 3,000 steps with my Apple Watch, Google Pixel, and Oura Ring - this tracker was most accurate I stopped guessing which AA batteries are dead - this charging station keeps them in check for me My favorite Android Auto find is these hidden shortcuts that are highly customizable AirDrop is coming to older Samsung phones - is yours supported? How to get it early I'm no longer using Google Photos as just a cloud storage - 5 tools that elevate the app The best data removal services of 2026: Expert tested and reviewed The best Samsung TVs of 2026: Expert tested and reviewed The best mobile scanning apps of 2026: Expert tested and reviewed The best HP laptops of 2026: Expert tested and reviewed After using Lenovo's new Yoga laptop, I'm wondering if Windows makers are running out of ideas Samsung S95H vs. Samsung S95F: I compared the OLED TVs and wasn't prepared for the upset
Malicious apps got into the Arch User Repository - how to protect yourself
Jack Wallen · 2026-06-17 · via Latest news
arch-linux
Elyse Betters Picaro/ZDNET

Follow ZDNET: Add us as a preferred source on Google.


ZDNET's key takeaways

  • The Arch User Repository was found to contain malicious apps.
  • Twice in a week's span was this discovered.
  • Users are warned to be vigilant, but there are other, easier ways.

Researchers at software supply chain management company Sonatype found that the Arch User Repository contained about 1,500 malicious packages, the company said in a blog post updated June 12.

"We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information," The Arch team said in a brief statement.

This does not bode well for a repository that was created to dramatically increase the amount of software available to Arch (and Arch derivative) users.

Also: Archcraft is a solid, super fast distro for anyone ready to move beyond beginner Linux

The AUR is essentially a way for developers to make new software available to users of Arch Linux before it is officially added to the Arch repositories. It's a collection of package descriptions (named PDKGUILDs) that make it possible to compile a package from source code using the makepkg tool and then install the package via the Arch Linux package manager, pacman.

The thing about the AUR is that anyone can upload packages to it, and a group of Trusted Users is charged with keeping tabs on what goes in.

You can see where this is going, right?

Imagine you're one of those volunteer Trusted Users charged with checking every app that is submitted to a repository. Now, imagine you're a bad actor wanting to inject malware into that repository. You obfuscate the malware, submit the app as legit, and assume the Trusted Users won't have time to dig through every line of your code. The Trusted User does a quick scan of your code and doesn't see the obfuscation.

Blamo! You've just added a malicious app to the AUR.

Within the span of one week, roughly 1,500 malicious apps made their way into the repository, which means something has to change; otherwise, Arch (and Arch-based) users aren't going to be able to trust the AUR. There have been no reports on what these malicious apps do, nor who submitted them.

Also: I've used Linux for 30 years - 4 frustrations remain, including 2 that push me back to MacOS

In the meantime, I have a few recommendations for Arch users.

Uninstall, uninstall, uninstall

First, you need to uninstall anything you've installed from the AUR, and hope that it's not too late. At the moment, I have no idea how bad the malicious code is that made it into the AUR, so there's no telling the damage it could have or did do to your system(s).

Fortunately, to remove the package, you can use pacman like so:

sudo pacman -R PACKAGENAME

Where PACKAGENAME is the package to be removed.

Once you've done that, check to ensure the package has been removed with the command:

pacman -Q

The above command will list every package installed on your system. 

Stop using the AUR

Next, stop using the AUR, at least until the developers and Trusted Users can come up with a solution to avoid this problem. After taking care of that, consider the AUR off-limits until the developers have found a way to make it safe.

After you've removed all of the packages and stopped using the AUR, do yourself a favor and use a tool like Wireshark to test for any suspicious outgoing traffic. If you spot something you don't recognize, look it up. If it's unknown or known to be related to malicious code, either block the outgoing traffic or reinstall your OS. 

Do not take any chances.

Adopt a universal package manager

In place of the AUR, install Flatpak and install apps from there. With Flatpak, you'll have tons of applications to install, so you won't miss the AUR nearly as much as you think. You can install Flatpak with the command:

sudo pacman -S flatpak

After installation, add the Flathub repository with:

flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo

You can then install anything you need, like so:

flatpak install PACKAGENAME

Where PACKAGENAME is the name of a package found on Flathub. You'll find that there are apps on Flathub that weren't available in the AUR (even proprietary apps like Spotify and Slack).

Also: After 30 years with Linux, I gave Windows 11 a chance - and found 9 clear problems

It's a shame that bad actors can ruin something for everyone. While Arch Linux is a remarkably secure OS, the AUR is a different story. I've never been one to depend on the AUR (in fact, I rarely use it), so this doesn't affect me nearly as much as it might affect those who do.

To fix this issue, I would suggest that the AUR needs a much better system for verifying the integrity of submitted software. I realize that some would consider that an affront to what the AUR has been for years, but if issues like this continue, the AUR will wind up becoming a barren wasteland. 

Nearly 2,000 malicious apps within a week is nothing to look away from. And even if the devs can issue an all-clear every time malicious apps are discovered, at some point, no one is going to trust the AUR, so something dramatic has to change.

Even this Reddit thread from five years ago illustrates that this problem has been a concern for a long time. It also highlights the fact that the onus is on the user to check everything they install. To that, I would say, how are you going to attract new users if they are expected to inspect software they want to use for malicious code? The answer… You can't.

Open Source