this post was submitted on 13 Jun 2026
255 points (99.2% liked)

Technology

85420 readers
6332 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
255
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages (www.phoronix.com)
submitted 1 day ago by rafssunny@lemmy.zip to c/technology@lemmy.world
59 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Peter_Arbeitslos@feddit.org 31 points 1 day ago (2 children)

We're currently at 1621.

https://md.archlinux.org/s/SxbqukK6IA

[–] A_norny_mousse@piefed.zip 4 points 1 day ago* (last edited 1 day ago) (4 children)

I'm still missing any sort of in-depth info about all this.

edit: https://bbs.archlinux.org/viewtopic.php?id=313892

[–] JakoJakoJako13@piefed.social 18 points 1 day ago (1 children)

Start here. https://bbs.archlinux.org/viewtopic.php?id=313892

AUR, the Arch User Repository is under an attack. The attack vector is any orphaned package that doesn't have a current maintainer. Those packages are being taken over by a malicious group. https://redlib.catsarch.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/ If a package maintainer quits/leaves/abandons a project, anybody can take control of the package if there's been no maintainer for a certain period of time. What we're learning now is that this process could be automated and done en masse. They're modifying PKGBUILD files to use a java script installer like npm, bun, yarn, nodejs to shove malware onto a system. So if you have a package that's marked as infected and you've updated your PC using an AUR helper like yay or paru during this time without checking the PKGBUILD you could be in trouble.

What users are advised to do is not update any AUR packages until otherwise noted. Scan your systems for any packages where the PKGBUILD reports installing an atomic-lockfile, js-digest file through npm, bun, nodejs, yarn and the like. Delete those packages.

The number of infected packages has gone from 400 to 600 to 1500 in a matter of hours last night. The AUR team has been on top of it almost the moment it got recognized. The AUR has well over 100,000 packages. Last night another user ran some numbers and at the time 718 infected packages had no users at all. The most popular package is an old Gnome dependency libgdata that was dropped years ago but could still be on systems. There's a lot of old packages using ancient python2 deps that look to be infected as well. https://redlib.catsarch.com/r/archlinux/comments/1u4fzea/according_to_pkgstats_these_are_the_most_popular/ list of infected packages https://md.archlinux.org/s/SxbqukK6IA Seems like this was caught because old maintainers started getting emails about package updates to old projects they were on. Those OGs sprung into action.

[–] A_norny_mousse@piefed.zip 2 points 1 day ago* (last edited 1 day ago)

Thanks. The forum thread's beginning suggests a concerted effort around adding the line npm install atomic-lockfile to repos.

Searching for that I quickly found this: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency and related articles.

Then it seems to change to 'bun' and 'js-digest': bun add figures debug js-digest

Apparently both atomic-lockfile and js-digest are upstream npm/javascript packages that have been infected with datamining malware.

BTW, admins reported as of 12h ago it's all cleaned up.

[–] Peter_Arbeitslos@feddit.org 0 points 1 day ago

Wouldn't even suprise me if they just did it fo the lulz.

[–] ExLisper@lemmy.curiana.net -1 points 1 day ago (1 children)

They got hacked.

Use Debian. /s

[–] A_norny_mousse@piefed.zip 1 points 1 day ago (1 children)

I meant something I can read.

They got hacked.

I don't think so.

[–] caseyweederman@lemmy.ca -3 points 1 day ago

I mean
Like...
Yes?
Yes, that's what happened. That is the correct word for it.
Attackers exploited vulnerabilities in a system in order to run code on other people's machines

[–] Peter_Arbeitslos@feddit.org 0 points 1 day ago* (last edited 1 day ago)

same

[–] brokenwing@discuss.tchncs.de 2 points 1 day ago* (last edited 19 hours ago) (3 children)

What to do if I found a package I installed to be in that list? libgdata to be specific?

Edit: Seems that the libgdata package was last installed on March 05.

[–] Peter_Arbeitslos@feddit.org 2 points 1 day ago* (last edited 1 day ago)

Have a check if you updated it recently (PKGBUILD history, about June 10-12). If not you're fine.

If:

  • Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys
  • Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit (E: It's supposed to be an eBPF rootkit)

(reference)

Personally I would reset everything if I got anything, to kill both any infection and my paranoia. Then reset credentials.

[–] ilmagico@lemmy.world 1 points 1 day ago (1 children)

Was it installed from the aur? If not, you're fine

[–] stardreamer@lemmy.blahaj.zone 3 points 1 day ago (1 children)

libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn't remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you'd inadvertently update libgdata from an AUR source if you're using an AUR helper.

[–] brokenwing@discuss.tchncs.de 1 points 19 hours ago (2 children)

Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.

Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the /var/log/pacman. You can see them like this,

grep "package_name" /var/log/pacman

For yay installed packages you can see they are getting installed from ~/.config/yay/package_name. But for my libgdata, it simply says [ALPM] installed libgdata (0.18.1-5).

[–] stardreamer@lemmy.blahaj.zone 1 points 29 minutes ago

Sounds like you got lucky. libgdata was part of the second round of attacks and was quickly reverted. It's likely you're running the last official release.

[–] gratux@lemmy.blahaj.zone 1 points 17 hours ago

You can also check the build/install date of a package with pacman -Qi

[–] A_norny_mousse@piefed.zip 0 points 1 day ago* (last edited 1 day ago)

Probably reinstall (all is supposed to be fixed as of over 12h ago). This time check the PKGBUILD and also whichever (git) repo the software is pulled from.
See if infected versions of npm packages atomic-lockfile and js-digest are installed.

See here: https://bbs.archlinux.org/viewtopic.php?id=313892