Seems like we have yet to really have the 9/11 moment, and the ease with which established practices can be catastrophically exploited has not been fully internalized. Or even internalized at all. 


elvismercury

On the 16th of July, at around 8pm UTC+2, a malicious AUR package was

uploaded to the AUR. Two other malicious packages were uploaded by the

same user a few hours later. These packages were installing a script

coming from the same GitHub repository that was identified as a Remote

The Arch Linux team addressed the issue as soon as they became aware of

the situation. As of today, 18th of July, at around 6pm UTC+2, the

offending packages have been deleted from the AUR.

security

> On the 16th of July, at around 8pm UTC+2, a malicious AUR package was 
uploaded to the AUR. Two other malicious packages were uploaded by the 
same user a few hours later. These packages were installing a script 
coming from the same GitHub repository that was identified as a Remote 
Access Trojan (RAT).

> The Arch Linux team addressed the issue as soon as they became aware of 
the situation. As of today, 18th of July, at around 6pm UTC+2, the 
offending packages have been deleted from the AUR.