alt Hacker NewsAs someone already explained in a sibling comment, Arch Linux AUR packages are simple shell scripts that download source code from upstream, apply patches and install.
I review them every time I have to install from AUR.
Replies
Slothrop99 • today at 4:59 PM
If I understand, the malware is installed via npm from some subshell. But yeah I totally believe you have a detailed review of every package-lock.json and etc.
➕ show 1 reply
And what if upstream is problematic? Even if it stops this particular attack, reading just the AUR file feels like fighting yesterday's war. I don't think advice to the effect of, just read the parts of the code that have been used in attacks in the past but blindly trust everything else, makes a lot of sense.