On 6/12/26 3:53 PM, Shauna Recto via tde-devels wrote:
Hi,
There has been an attack in regards to the AUR.
https://archlinux.org/news/active-aur-malicious-packages-incident/ https://archlinux.org/news/active-aur-malicious-packages-incident/
There has been a list of all the packages affected.
https://lists.archlinux.org/archives/list/aur- general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/ <https://lists.archlinux.org/archives/list/aur- general@lists.archlinux.org/message/5FDTMKA54RMWNRHJFUAKXEBAFV5WPDUL/>
I don't know how you build the htdig package, but it was listed when I was checking for malicious packages. I just don't know if your package you provide would be affected by it, even though I would assume none of you use the AUR to build it.
Regards, Shauna
Shauna,
Unless you are using Arch (or one of the variants) and you are building the package from AUR, then that should not be a concern. There should not be any mainstream projects that use automated tools to pull packages from AUR and automatically incorporate them in a TDE package in a continual-integration type setup.
The AUR event is unfortunate and thanks to the dedicated mods, appears to largely controlled. The complete package list of reverted package commits should be https://md.archlinux.org/s/SxbqukK6IA (1579 packages and counting...)
The issues surround a poisoning of the build scripts (the PKGBUILD) involves updating those file to include post-install hooks to run poisoned npm installers. npm is an over-achiever to be sure.
There shouldn't be any TDE packages hosted or pulling dependencies directly from AUR. In the past the Arch TDE packages were hosted on AUR (a decade ago?), but that is no longer the case. A quick check shows no TDE (or Trinity Desktop) package remain on AUR. (there is a TelegramDesktop, but unrelated)
Whoever maintains the Arch TDE build scripts can confirm, but this should not impact TDE.