Is there any information on if this is the same attack vector (orphaned packages that were adopted)? I believe they already locked down adoption, but maybe also a combination of existing maintainers being taken over?
The reported commit [1] suggests to me that it was an account compromise of some sort, not orphan+adopt: the committer is the same in git, but the contact email changes in the PKGBUILD.
This doesn't necessarily seem 'more elaborate': it is attempting to be better obfuscated against automated checks at the cost of being very obvious to anyone doing even a cursory review of the install scripts. It's also likely something that would be caught instantly by even an extremely naive LLM, as seems to have been the case here. There's simply no legitimate reason why an install script would ever do something like this:
I'm not certain that the git committer tells you the full story. I don't believe the AUR enforces that the git commit email is the same as the current maintainer email. So this could have been an orphan package, adopted by a malicious user, generated a malicious commit with the previous maintainer's git info.
Unfortunately, I don't see a way of viewing the ownership history of a package in the AUR. I know you get emails with ownership changes if you're subscribed to a package, but I don't see this info in the web interface anywhere.
Companies like Anthropic and OpenAI need to sponsor open source projects by giving them free agent credits. Otherwise, bad actors can just outspend and totally overwhelm the somewhat dim and very overworked set of human maintainers. Humans in software are obsolete, full stop.
Well, both give you 6 months of access. Out of interest I applied some time ago and (despite maintaining a few fairly important OSS projects) never got a response from them. Of the other maintainers I know, it seems to me that they decide who to give access to fairly randomly.
Is there any information on if this is the same attack vector (orphaned packages that were adopted)? I believe they already locked down adoption, but maybe also a combination of existing maintainers being taken over?
The reported commit [1] suggests to me that it was an account compromise of some sort, not orphan+adopt: the committer is the same in git, but the contact email changes in the PKGBUILD.
This doesn't necessarily seem 'more elaborate': it is attempting to be better obfuscated against automated checks at the cost of being very obvious to anyone doing even a cursory review of the install scripts. It's also likely something that would be caught instantly by even an extremely naive LLM, as seems to have been the case here. There's simply no legitimate reason why an install script would ever do something like this:
[1]: https://aur.archlinux.org/cgit/aur.git/commit/?h=htbrowser-b...I'm not certain that the git committer tells you the full story. I don't believe the AUR enforces that the git commit email is the same as the current maintainer email. So this could have been an orphan package, adopted by a malicious user, generated a malicious commit with the previous maintainer's git info.
Unfortunately, I don't see a way of viewing the ownership history of a package in the AUR. I know you get emails with ownership changes if you're subscribed to a package, but I don't see this info in the web interface anywhere.
Companies like Anthropic and OpenAI need to sponsor open source projects by giving them free agent credits. Otherwise, bad actors can just outspend and totally overwhelm the somewhat dim and very overworked set of human maintainers. Humans in software are obsolete, full stop.
Both already do that. The AUR stuff is more of a policy issue and unmatched expectations, unrelated to llms imo
Well, both give you 6 months of access. Out of interest I applied some time ago and (despite maintaining a few fairly important OSS projects) never got a response from them. Of the other maintainers I know, it seems to me that they decide who to give access to fairly randomly.