255
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages
(www.phoronix.com)
this post was submitted on 13 Jun 2026
255 points (99.2% liked)
Technology
85420 readers
6332 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm still missing any sort of in-depth info about all this.
edit: https://bbs.archlinux.org/viewtopic.php?id=313892
Start here. https://bbs.archlinux.org/viewtopic.php?id=313892
AUR, the Arch User Repository is under an attack. The attack vector is any orphaned package that doesn't have a current maintainer. Those packages are being taken over by a malicious group. https://redlib.catsarch.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/ If a package maintainer quits/leaves/abandons a project, anybody can take control of the package if there's been no maintainer for a certain period of time. What we're learning now is that this process could be automated and done en masse. They're modifying PKGBUILD files to use a java script installer like npm, bun, yarn, nodejs to shove malware onto a system. So if you have a package that's marked as infected and you've updated your PC using an AUR helper like yay or paru during this time without checking the PKGBUILD you could be in trouble.
What users are advised to do is not update any AUR packages until otherwise noted. Scan your systems for any packages where the PKGBUILD reports installing an atomic-lockfile, js-digest file through npm, bun, nodejs, yarn and the like. Delete those packages.
The number of infected packages has gone from 400 to 600 to 1500 in a matter of hours last night. The AUR team has been on top of it almost the moment it got recognized. The AUR has well over 100,000 packages. Last night another user ran some numbers and at the time 718 infected packages had no users at all. The most popular package is an old Gnome dependency libgdata that was dropped years ago but could still be on systems. There's a lot of old packages using ancient python2 deps that look to be infected as well. https://redlib.catsarch.com/r/archlinux/comments/1u4fzea/according_to_pkgstats_these_are_the_most_popular/ list of infected packages https://md.archlinux.org/s/SxbqukK6IA Seems like this was caught because old maintainers started getting emails about package updates to old projects they were on. Those OGs sprung into action.
Thanks. The forum thread's beginning suggests a concerted effort around adding the line
npm install atomic-lockfileto repos.Searching for that I quickly found this: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency and related articles.
Then it seems to change to 'bun' and 'js-digest':
bun add figures debug js-digestApparently both atomic-lockfile and js-digest are upstream npm/javascript packages that have been infected with datamining malware.
BTW, admins reported as of 12h ago it's all cleaned up.
Wouldn't even suprise me if they just did it fo the lulz.
They got hacked.
Use Debian. /s
I meant something I can read.
I don't think so.
I mean
Like...
Yes?
Yes, that's what happened. That is the correct word for it.
Attackers exploited vulnerabilities in a system in order to run code on other people's machines
same