On 5/27/26 5:11 PM, Claudia Pellegrino wrote:
Hi Velocifyer,
browsh-bin now installs a sketchy NPM packageย despite it previusly not
needing NPM. See <https://aur.archlinux.org/cgit/aur.git/commit/?
h=browsh-bin>
Thanks for the report! I confirm that the commit was malicious. It has
been reverted and the user suspended.
Regards
Claudia
You guys/gals are doing a great job, but I suspect we will have to go
do some type of "confirmed identity policy" for all AUR accounts.
The days of giving the benefit of the doubt, and account with commit
privileges, to every anonymous/randomized e-mail are unfortunately over.
I don't know what form this ID validation can take, but the
proliferation of supply-chain attacks and AUR package poisonings
necessitates something. At minimum, unless the to-be maintainer is
willing to provide their full and verifiable name and location on the
account, that should be segregated for further review. Currently AUR is
simply too easy for any malicious actor to adopt a package an push
poisoned dependencies as part of the PKGBUILD.
You all know far better than I was is doable in this process, so I'll
leave it in your safe hands, but did feel this is worth a comment and
further discussion.
This is why we just can't have nice things anymore. The internet was
such a welcoming place in the early '90s :(
--
David C. Rankin, J.D.,P.E.
