Arch Linux’s AUR package repository has been found to contain malware. It was discovered within one of the user submitted packages. The malicious code was immediately removed when the AUR team intervened. The incident occurred because the AUR team allow users to contribute to abandoned repositories.
The malicious code was found on Saturday when a user discovered a pseudonym “xeactor” that overrode a package named “acroread” which allows Arch to view PDF files in a system.
The Git commit log shows that the new packaged malicious code will download a file named “~x” from ptpb.pw a lightweight package that allows users to share tiny pieces of text files, it will then execute another file named “~u”. The main purpose of the file is to modify the systemd and also add a timer to run the ~u file every 360 seconds.
The “~u” command collects date, time, machine ID, CPU information, Pacman (Package Manager) information and the entire output of the command “uname -a” and “systemctl list-units”.
The AUR team have also said they have found similar code in other packages:
- acroread 9.5.5-8
- balz 1.20-3
- minergate 8.1-2
The malicious code changes were reversed and xeactor’s accounts were suspended. The AUR packages are user-submitted packages to the Arch Linux Repo. There are a lot of cases this year where most of the code of the operating system has been affected by some sort of malware.