7+ hours into this and still no mention on archlinux.org webpage nor on aur.archlinux.org. Why??? AUR should have been blocked until user takes action to prove he knows about this.
Eg. change AUR API URL slightly so yay/yaourt users need to look up what is going on. New API should have infrastructure for informing users and making sure they've read the message before proceeding. Especially when they're not even sure that all malware was found.
Also there should be database of revoked/compromised AUR commits and there should be mechanism to warn user if they had it installed.
No it shouldn't. You don't break everyone's workflow just because some people refuse to take basic security advise seriously.
> New API should have infrastructure for informing users and making sure they've read the message before proceeding.
How would that even work? AUR packages are just git repos, everything that AUR helpers are doing or not doing is not under the control of the arch maintainers.
> How would that even work?
Are you seriously asking how would sharing short text notes over internet work?
If you need to be 100% git-centric, you can have git repo for messages. Client will then remember last commit displayed to user and refuse to continue unless latest message was displayed.
BTW some AUR clients displayed ArchLinux RSS feed before... Too sad the issue is not even mentioned in the RSS feed...
There's no shortage in ideas of how to make the AUR easier to moderate. A "quarantine button", an invite system, a request system for adoption similiar to how orphan requests work, code review attestations similiar to cargo-crev, pacing controls similiar to those in discourse.
There is a shortage however of people skilled enough to implement them (with available time to do so).
What we also don't have a shortage of is angry people in comment sections.
People have all right to be angry if basic responsible adult things like "quarantine the server spreading large amounts of malware" do not happen within the reasonable timespan that passed.
Not even a news. A hint. Nothing. Radio silence.
___
There is a house. It is currently on fire (since over 24h). So far, people have talked about how, conceptually, house fires are bad.
You can still enter the house just fine.
People saying "hey what about locking the door to not trap more people in it" are being shunned for the crime of breaking someones workflow.
The owner of said house is nowhere to be seen.
Passerbys stating "oh my god that house is on fire! get water!" are either ignored or reminded that there is no problem and they should move along.
___
Idk man. I don't think any of this is real.
And I don't even use arch, lol. And after this thing exposed the institutional rot, neither should you or really anyone.
Unless you like ending up locked inside a house fire. I guess they provide warmth in the cold harsh reality of the 2026 internet.
The server actually hosting the rootkit executable is npmjs.com, run by a for-profit company, and they still take about 24h to act on our reports, while reported AUR packages have been processed in about 1-2h by people that work unrelated dayjobs on top of this, to self-subsidize their open source work.
Sorry you're displeased with us not writing blogposts faster on top of all this. The situation is already exhausting enough without people like you.
Look, man, I understand all that, but pulling the plug is something that takes at most 90s. Let's say 300s to add the "Warning: There is an attack. We're working on it. Systems are down for now" box
After that, you have all the time in the world to prioritize dayjobs etc.
It's not about dropping everything and fixing the root cause. It's just about taking stuff offline so that the immediate danger is mitigated.
That is not too much to ask. It's not "people like me" having weird opinions there.
Shut it down. Then fix whenever there is time to do so.
___
But hey. Finally a statement from someone with some amount of position in the org I guess?
I wouldn't want to be in your shoes for sure, but that's beside the point. Nothing here is unreasonable other than the ostrich-style incident response lack-of-process.
And I don't mean stupid corporate process. I mean "common sense adults are in the room" process. Throw waterbucket at burning server reflex.
___
I mean I can see that your userbase absolutely sucks and could imagine that one would be scared of getting roasted for "interrupting their workflow", but this is not the way.
Their workflow is irrelevant.
As said, I'm all here for maintainer empathy, but only after the fire is put out first.
___
Anyway, "institutional rot" is not an insult but a diagnosis. I'd love to be proven wrong on that, but I don't see it.
And trust me, I do know first hand how thankless this non-job is and what hell one goes through. I have skin in the game. I just don't have a horse in the arch race.
"Hey, let's take down all of npm, because there's a package that installs something malicious, and some people may install it without reviewing it first. The thousands of other people relying on this service can wait."
Do you not realize how crazy of an request that is?
You do realize that the people relying on the service also get served wormable malware, right?
The service is already disrupted. It is not that a disruption could be _avoided_. The discussion makes no sense.
___
Hell, even if I would be completely wrong in that assessment (not sure how, but let's assume that's the case)
You can still put up a banner. "Hey, FYI: We're under attack".
If not right away, then at the very least the moment media reports on it. And if media reported wrong, the banner says "Don't worry people. Media got it wrong."
> You do realize that the people relying on the service also get served malware, right? The service is already disrupted.
Huh? No they don't. I'm not sure what part of the attack your misunderstood, but most people are going to be completely unaffected by this. None of the infrastructure or anything like that got compromised. I updated my AUR packages 2 hours ago, and didn't get served any malware.
Again, there's probably some kind of malware on npmjs at any given time. You don't just shutdown the entire server because of that, that's madness.
As said, I don't think discussing this makes sense, as our perceptions of reality seem to be fundamentally incompatible.
But regardless, let's try a different perspective: PR/Public perception
The moment multiple well-known media outlets start publishing a story stating that "stuff is happening", the situation changes.
At that point, regardless of how you personally feel about this, the narrative is "people are affected".
This forces your hand. Which is not(!) to say that it would mean that you would have to accept what the media says. The media could be full of shit talking nonsense. *But* at that point, you need to either correct them, or do the correct action as per their narrative.
____
I don't think that PR/Public perception is the main relevant perspective here - in fact I'm just mentioning it, because all the much stronger much more technical arguments seem to be lost on you.
But there you go.
Your argument makes no sense, because "ackschually I'm unaffected" is just russian roulette survivorship bias, but even if it _would_ make sense, the system logic of the next outer layer cans that take.
____
Anyway. The fact that people (not just you, mind you) are so busy playing "well ackschually" while there is an active wormable attack going on is precisely why I said "institutional rot". Although, I think I need to correct that to "cultural rot".
Priorities are broken. The wrong metrics are being optimized here.
I would love to hear more about this from the actual Arch maintainers instead of random users with opinions, but.. not sure where that communication would be. I didn't find any. And I did go looking!
___
Edit 50m later:
https://archlinux.org/news/active-aur-malicious-packages-inc...
Thank you!
You seem confused about how the AUR works. There is no "client" like you're talking about that can show the user anything.
There are AUR helpers, but these are completely unaffiliated with arch and the people running the AUR. The canonical, recommended way of installing arch packages is cloning a git repo, reading through the sources and then building it with makepkg. There is no client there that could show the user anything.
how comes gitlab shows custom messages to my plain old git client then?
for example when you rename gitlab repository, or push to new branch, gitlab injects custom text that you can see. Eg. with new URL or where you can create merge request on web, etc...
I assume you're talking about the "remote: " messages? I've only ever seen those on push operations, not sure if they're even available for clone.
Maybe they'd be an option, but then the whole "making sure they've read the message before proceeding" part goes out the window.
Even people who do read the content of every AUR package they install could use a helpful heads up and some detail in the new threat they should be looking for.
If a package is compromised, I think most people would prefer their workflow be broken than risk installing that package.
Now acknowledged: https://archlinux.org/news/active-aur-malicious-packages-inc...
I think a notice on the front page of the AUR would make sense here. IMHO, a blurb on the Arch homepage with a link to a notice on the AUR page would also help.
If you don't want to list all known effected packages, at least recommend the official position that anyone using a AUR package should be reading every file of every package they use.
IMO if numbers on Socket.dev can be trusted, then impact seems rather small (luckily). It also makes sense — I know some packages from the affected list, they're heavily outdated and their upstreams aren't maintained anymore.
Other than this — I don't know how many there are affected people in total, but AUR team probably has an exact number. I am also sure, they're doing their best to handle it accordingly to the impact.
It is a bit disappointing to not see any mention anywhere official.
I know its all volunteer work and extremely not fun at the moment, but it feels weird to not even have some sticky-no-reply on the AUR sub forum with a list of compromised packages. You have to instead try and scrape them up from around threads like here or reddit.
Are you paying maintainers for that, or are you just blindly demanding things from a piece of software maintained by volunteers before saying iT'S sO uNprOfEsSiOnAL ?
Thanks for mentioning that, maybe that's where i can start: https://archlinux.org/donate/