You can read the entire thing here - Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
But basically it seems that hundreds of AUR packages that were not maintained in a while got “updated” with a malicious code. The motive? To steal your data. Chromium based browsers were targeted. We use Firefox for TROMjaro, so all fine. Electron Based applications - could be Element or others - plus SSH keys, known_hosts, and shell histories. Read that article for more details.
Are you infected?
You need this script. Basically download it. Extract the contents. In the folder right click check_aur_infected.sh then Properties, Permissions and check the “Allow this file to run as a program”. In the same folder right click and open the terminal. In the terminal do sh check_aur_infected.sh
My result is this:
If you see any package listed DO NOT WORRY YET! They are only infected if you updated them from 11th to 13th of June.
To check that:
Go to Add/Remove Software, click the Menu and then View History and check if you updated anything from 11th of June to 13th of June.
Now see if any infected ones from your terminal output got updated from 11th to 13th of June.
If they have been, remove them. BUT your machine is already compromised probably.
Read the main article to figure what to do next.
Since TROMjaro itself is not affected, only the user installed AUR packages, then is not much we can do to help.
We found 4 compromised packages in our TROMsite.com/apps library and have since been removed. Hopefully no one installed them in the past 2 days.
Good luck!
Final thoughts.
AUR relies on the willingness of people to create and maintain these packages. This is fantastic and so far it worked great. The problem is that we live in a Trade-Based society where people are incentivized to steal. In a saner society no one, or almost no one, would want to steal your data to then use it to make money and such.
So keep this in mind. It is the fault of our Trade-Based society. Period.