//
sign in
Profile
by @danabra.mov
Profile
by @dansshadow.bsky.social
Profile
by @jimpick.com
AviHandle
by @danabra.mov
AviHandle
by @dansshadow.bsky.social
AviHandle
by @katherine.computer
EventsList
by @katherine.computer
ProfileHeader
by @dansshadow.bsky.social
ProfileHeader
by @danabra.mov
ProfileMedia
by @danabra.mov
ProfilePlays
by @danabra.mov
ProfilePosts
by @danabra.mov
ProfilePosts
by @dansshadow.bsky.social
ProfileReplies
by @danabra.mov
Record
by @atsui.org
Skircle
by @danabra.mov
StreamPlacePlaylist
by @katherine.computer
+ new component
ProfilePosts
Loading...
About 400+ packages in the Arch User Repository were compromised with malware. This thread is a wake up call NOT to fully trust community-submitted packages /or/ the blanket statement that Linux is 'more secure'. A big enough platform will entice bad actors. lists.archlinux.org/archives/lis...
And then there are corporate, sterile UI that can't let designers express or impart any sort of artistic detail. These I also don't like, because I also believe that computing is as much form as it is function. I /loved/ Aqua used in OSX, because it had tiny details never visible in modern UI.
We aren't done yet with the AUR attacks. Another pattern has been reported, and this one is /just/ a little bit more elaborate. It's still a similar supply-chain attack. This one uses bun to fetch nextfile-js, one of the infostealers used in previous attacks. lists.archlinux.org/archives/lis...
One of the aches that people always bring up regarding Linux is the community. And that's fair, Linux communities are always a toss-up: you either meet people that'll deliberately troubleshoot with/for you, or people that'd dismiss your struggles with "well, don't use Linux like WinDOOZE."
However, if you do use AUR, you can run the following command: pacman -Qm After that, you should scan through packages listed in that thread and compare against the list that the command above printed out. The command will list packages that were installed from outside your system's repository.
So, once again, I say this: please be careful with AUR. Vet and verify. Just because you run Linux does not mean you're magically immune to malware, because all it takes is one little carelessness like that for your system to be vulnerable.
Essentially, we're seeing this new wave escaping the usual grep/regex detection by /slightly/ obfuscating the command used to fetch the infostealer package. It's not a complex method of obfuscation -- you can even decipher it by looking at it -- but it does place an obstacle when regex is used.
Now, if you use Arch (or its derivatives, like CachyOS and SteamOS) /but/ you've never invoked yay, paru, or similar AUR helpers, then you should be fine. Similarly, if you've never used AUR in general, you're in the clear too.
There are two sides in me: one that loves UI with personality (yes, this goes out to you Aero, Luna, and Aqua fans) and one that understands the accessibility constraints that arose from those designs. It's not that we can't do both, but somehow we've collectively agreed that this is an either-or.
There are weird UI that look charming, but are an UX nightmare -- think terrible keyboard navigation, bad navigation flow, and menus that only make sense once you've downed a couple shots of Chartreuse. These I don't like, because I firmly believe in an accessible computing for everyone.