- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)
Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
… how do i make npm generally not work on Linux? I don’t use it and with how attack vectors are the majority of cases via NPM… and can be shipped as a binary to <arbitrary temp location>.
Environment variables pointing to /dev/null? Application firewall? Or would just blocking some domain/IP suffice?
sudo {package-manager} remove npm nodejs sudo {package-manager} purge npm nodejs
npm: sudo tee /usr/local/bin/npm >/dev/null <<‘EOF’ #!/bin/sh echo “npm is blocked on this system.” exit 1 EOF
sudo chmod 755 /usr/local/bin/npm
npx: sudo tee /usr/local/bin/npx >/dev/null <<‘EOF’ #!/bin/sh echo “npx is blocked on this system.” exit 1 EOF
sudo chmod 755 /usr/local/bin/npx
Might break somethings but that’s a part of boycotting something I guess.
Thanks, but
You can’t just ship a binary to a random location without knowing architecture, which is very relevant. Not everything is x86 any more. But you can do shell, and since aur is shell that should be good enough given the context of the article.