[craftkiller]

True, but looking at a compromised PKGBUILD[0], it looks like it is installing "atomic-lockfile" and "figures". I think 99% of people reading the PKGBUILD would assume those are legit dependencies needed by the program. It's not like it was running "npm install 1337hax0r". Which is why you need to read the source for both "atomic-lockfile" and "figures" (and literally everything else).

[0] https://aur.archlinux.org/cgit/aur.git/commit/?h=pass-cli&id...

[codemac]

It adds npm as a dependency, to a go build?

It changes the contributor email?

to install random npm packages?!

in /tmp?! in post_install()??! With a new random contributor email????

Archlinux is focused on enabling a specific type of user, and certainly ones that can read bash scripts, and understand reasonable depedencies vs unreasonable ones. And even then - this is specifically in the AUR and not a package the distro directly offers.

[craftkiller]

> It adds npm as a dependency, to a go build?

Programs often invoke other programs through the exec* family of syscalls. For example, git is written in C but it ships with perl dependencies. It is not unreasonable to assume pass-cli added a runtime dependency on a program written in javascript. Regardless, we're talking hundreds of AUR packages have been compromised, I'd be shocked if none of them were javascript-based programs. Perhaps pass-cli was simply a bad example for me to choose.

> It changes the contributor email?

I think this is the 2nd most sus change, but even so, I have changed email addresses over the years so it isn't completely unreasonable.

> in /tmp?!

And yes, this is the most sus change.

[Ferret7446]

I'm not sure if you're trying to strawman or are inexperienced.

No, this in no way or shape looks like installing a legitimate dependency to the target audience (expert users). This is a package manager, you don't install dependencies via post_install.