00:00:00
One of the common misconceptions I see
00:00:02
people have about Linux is that it can't
00:00:03
get viruses or that infections in a
00:00:06
Linux environment are very rare. But if
00:00:08
you stop to consider the constant news
00:00:10
stream of companies suffering data
00:00:11
breaches, more than likely one or more
00:00:14
Linux systems were compromised to either
00:00:16
gain access to sensitive data or make
00:00:18
lateral movement throughout the
00:00:20
organization's network. But the hacking
00:00:22
threat that Linux servers on the
00:00:24
internet might face is fairly different
00:00:26
from the attacks that home users using
00:00:28
Linux desktops might face. So is there
00:00:31
any hacking danger on that front? The
00:00:34
answer is absolutely yes. Never
00:00:36
underestimate a user's ability to screw
00:00:39
up their system, especially with the
00:00:41
amount of control that Linux provides.
00:00:43
So, let's take a look at this bombshell
00:00:45
that dropped in the Arch Linux AUR
00:00:47
general mailing list just a few days
00:00:50
ago. On the 16th of July around 8:00
00:00:53
p.m., a malicious AUR package was
00:00:55
uploaded to the AUR. Two other malicious
00:00:58
packages were uploaded by the same user
00:01:00
a few hours later. These packages were
00:01:02
installing a script coming from the same
00:01:04
GitHub repository that was identified as
00:01:07
a remote access Trojan or RAT. The
00:01:10
affected malicious packages are Libre
00:01:13
Wolf fix bin, Firefox patch bin, Zen
00:01:18
browser patched bin. The Arch Linux team
00:01:21
addressed the issue as soon as they
00:01:22
became aware of the situation. As of
00:01:24
today, 18th of July, at around 6 p.m.,
00:01:28
the offending packages have been deleted
00:01:31
from the AUR. We strongly encourage
00:01:33
users that have installed one of these
00:01:36
packages to remove them from their
00:01:38
system and to take the necessary
00:01:40
measures in order to ensure they are not
00:01:42
compromised. I'd also like to add that
00:01:44
some more malicious packages were found.
00:01:47
Those being Minecraft cracked TTSMS
00:01:50
fonts all vestop bin patched and TTFMS
00:01:55
fonts. Now, I should point out that the
00:01:57
Arch user repository is well a
00:02:00
repository of packages that are put
00:02:02
together by Arch users. There's no real
00:02:05
central authority that really vets any
00:02:07
of these install scripts or binary
00:02:09
packages. Of course, you can report them
00:02:12
and if sufficient evidence of malware is
00:02:14
found, then the packages will be
00:02:16
removed, which was the case with all
00:02:18
seven of those compromised packages. But
00:02:21
packages installed from the AUR should
00:02:24
be done at your own risk. It's really
00:02:27
not much different than googling the
00:02:28
name of some software that you want to
00:02:30
install on Windows and then clicking on
00:02:32
the first link you get and installing an
00:02:34
EXE from there. Now, luckily, this
00:02:36
particular malware campaign was not very
00:02:39
sophisticated. The biggest thing that
00:02:41
gave it away was probably the fact that
00:02:43
they used a known malware payload
00:02:46
without any major modifications. So most
00:02:49
of the virus total scanners were able to
00:02:51
identify the chaos rat Trojan that the
00:02:54
hacker implanted in these packages. All
00:02:57
packages were also created by the same
00:02:59
user who had just created their AUR
00:03:02
account quite recently and they tried to
00:03:04
promote the malware and the Arch Linux
00:03:06
subreddit claiming it fixed some problem
00:03:08
that they were having. But that user
00:03:10
account also had very little activity
00:03:12
with very low karma. So it was fishy
00:03:16
from the get-go. And the fact that the
00:03:18
user was specifically targeting Arch
00:03:20
users with such a loweffort hack makes
00:03:23
me think almost no one really actually
00:03:27
fell for this. But as desktop Linux
00:03:29
grows in popularity, these attacks are
00:03:32
going to become more common and more
00:03:35
sophisticated. Like remember what
00:03:36
happened with the XZ library? I think
00:03:39
more attacks are going to be closer to
00:03:41
that side of the spectrum than the
00:03:43
loweffort that we saw here. And the only
00:03:45
way to really combat this type of
00:03:47
security threat is going to be user
00:03:49
education in the desktop Linux space. In
00:03:53
fact, it's even more important on
00:03:55
desktop Linux because it's very rare for
00:03:58
any antivirus programs to be installed
00:04:01
there. I mean, if you use Windows, at
00:04:03
least you have Microsoft Defender as
00:04:05
sort of a last line of defense if you
00:04:07
actually do download some malware and
00:04:10
try to execute it on your system. Uh so
00:04:12
in a way you could say that Linux is
00:04:14
even more vulnerable because well if you
00:04:17
do end up executing malware in that
00:04:19
environment there's nothing to stop it
00:04:21
other than manual user intervention. And
00:04:24
this unvetted community software problem
00:04:27
isn't just unique to Linux either. It
00:04:29
also occurs in the repository of various
00:04:31
programming languages like Python's pip
00:04:34
uh crates.io and Rust and npm and node.
00:04:38
There's several cases of hackers typo
00:04:42
squatting popular packages, for example,
00:04:44
where they create a malicious package
00:04:46
that's spelled just a little bit
00:04:48
differently, maybe one character
00:04:50
difference from a popular package, and
00:04:52
people end up pulling down malicious
00:04:55
code into their package by just typing
00:04:57
in that pip command incorrectly, and it
00:05:00
infects their machine. And it also could
00:05:03
infect the machines of everyone else who
00:05:05
is unfortunate enough to run that
00:05:07
person's code without realizing that
00:05:10
they have brought in a malicious package
00:05:12
into the project. And this is especially
00:05:15
risky in the era of vibe coding because
00:05:18
now you have to trust your AI to not
00:05:21
pick one of those infected libraries
00:05:24
whenever you're creating a template for
00:05:26
a new project. And I know that a lot of
00:05:28
people watching this know that I'm just
00:05:30
stating the basics. Don't blindly trust
00:05:32
software. Verify its legitimacy. But
00:05:35
there's a huge influx of people being
00:05:37
exposed to software repositories in
00:05:41
Linux or through the package ecosystem
00:05:43
of whatever programming language they're
00:05:44
using to cobble together some sort of
00:05:47
automation tool with Claude or whatever
00:05:49
the day's popular LLM is. and their
00:05:53
whole prior experience to installing
00:05:55
things on a computer is to just Google
00:05:57
the name of a program, click the first
00:05:59
link, download an .exe, and then rapidly
00:06:01
click through the install wizard.
00:06:03
Unfortunately, most Linux distros are
00:06:06
designed so that user repositories
00:06:09
aren't something that's enabled by
00:06:11
default. Okay? Usually, you just have
00:06:13
the official repos, which is where you
00:06:15
typically get your Linux software from,
00:06:17
is supposed to have some degree of
00:06:19
vetting done there. hopefully one or
00:06:22
more people actually looked at the
00:06:24
source code of the packages and ran them
00:06:26
in a controlled environment to see if
00:06:28
they do anything fishy. And for the user
00:06:31
repositories, you got to kind of go out
00:06:32
of your way to enable them. But there's
00:06:34
varying degrees of difficulty with
00:06:37
enabling them. Like for example in
00:06:39
Majaro you can enable the AUR in Pamk by
00:06:43
clicking on preferences entering your
00:06:45
sudo password and clicking this enable
00:06:48
AUR support button which is easier for a
00:06:52
novice to do through the PM guy which is
00:06:54
pre-installed in Mangaro by the way
00:06:56
versus on vanilla arch where they would
00:06:59
have to fiddle with the command line and
00:07:01
manually install Pammock or some other
00:07:03
AUR helper in order to get access to any
00:07:06
packages in the AUR. are. So, just be
00:07:09
aware of this as the popularity of Linux
00:07:13
grows because so does the opportunity
00:07:15
for hackers to push malicious packages
00:07:17
into open-source repos with varying
00:07:20
degrees of sophistication. Which is why
00:07:23
the community needs to also grow along
00:07:25
with the popularity of Linux in
00:07:28
awareness and not just have more users
00:07:31
of these programs but also more eyes on
00:07:33
the actual source code and especially on
00:07:36
the build scripts that are coming from
00:07:38
places like the AUR that have more lax
00:07:41
package vetting than the default
00:07:43
repositories usually do. And the same
00:07:46
goes for FlatHub, PIP, and anyone
00:07:49
telling you to curl a script and just
00:07:51
pipe it into a shell. This is actually
00:07:53
one of the pet peeves I have about Rust
00:07:55
because it's like there's so much focus
00:07:58
on security with this programming
00:08:00
language because of its memory safety.
00:08:01
But the recommended way to install it on
00:08:03
Unix like OSS is to literally pipe and
00:08:06
install script into your shell, which is
00:08:09
still convenient. I get it. And it's not
00:08:12
really a security problem if you're
00:08:13
copying the correct command from the
00:08:15
correct website. And they even make sure
00:08:17
to use an encrypted connection for the
00:08:18
curl command. But it's still feels like
00:08:21
a weird installation method given the
00:08:24
context. Now, if you suspect one of your
00:08:27
machines has been infected by this
00:08:28
malware, you can check your running
00:08:30
processes for one that's named systemd
00:08:34
init, which is the process name of the
00:08:36
chaos rat. And if you discover the
00:08:39
malware, you'll most likely need to
00:08:41
reinstall Linux and restore from a
00:08:44
backup before any of the malicious
00:08:46
packages were installed. By the way, you
00:08:48
can check what packages are installed on
00:08:51
an Archbased system by running
00:08:52
Pac-Man-Q.
00:08:55
And if you enjoyed this video, please
00:08:56
like and share it to hack the algorithm.
00:08:58
And check out my online store,
00:08:59
based.win. 10% storewide discount when
00:09:02
you pay with Monero XMR at checkout.
00:09:04
Have a great rest of your day.
