A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
    • manxu@piefed.socialEnglish
      3·
      14 days ago

      Yeah, that whole unverified developer build installation was always very risky. It’s a real shame that so many distros fail to keep up with recent packaging, and that so many development environments have super lax policies on who can post a package to their repositories.

        • manxu@piefed.socialEnglish
          2·
          13 days ago

          You are absolutely right, and it’s a shame that especially large corporations use open source without giving much back.

          Still, the setup of a lot of software repositories and package management is almost comically lax. A little extra effort might do a lot of good, is all I am saying.