Technology

85420 readers

3899 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

258

Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages (www.phoronix.com)

submitted 1 day ago by rafssunny@lemmy.zip to c/technology@lemmy.world

59 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] brokenwing@discuss.tchncs.de 2 points 1 day ago* (last edited 21 hours ago) (3 children)

What to do if I found a package I installed to be in that list? libgdata to be specific?

Edit: Seems that the libgdata package was last installed on March 05.

[–] Peter_Arbeitslos@feddit.org 2 points 1 day ago* (last edited 1 day ago)

Have a check if you updated it recently (PKGBUILD history, about June 10-12). If not you're fine.

If:

Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys
Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit (E: It's supposed to be an eBPF rootkit)

(reference)

Personally I would reset everything if I got anything, to kill both any infection and my paranoia. Then reset credentials.

[–] ilmagico@lemmy.world 1 points 1 day ago (1 children)

Was it installed from the aur? If not, you're fine

[–] stardreamer@lemmy.blahaj.zone 3 points 1 day ago (1 children)

libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn't remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you'd inadvertently update libgdata from an AUR source if you're using an AUR helper.

[–] brokenwing@discuss.tchncs.de 1 points 21 hours ago (2 children)

Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.

Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the /var/log/pacman. You can see them like this,

grep "package_name" /var/log/pacman

For yay installed packages you can see they are getting installed from ~/.config/yay/package_name. But for my libgdata, it simply says [ALPM] installed libgdata (0.18.1-5).

[–] stardreamer@lemmy.blahaj.zone 1 points 2 hours ago

Sounds like you got lucky. libgdata was part of the second round of attacks and was quickly reverted. It's likely you're running the last official release.

[–] gratux@lemmy.blahaj.zone 1 points 18 hours ago

You can also check the build/install date of a package with pacman -Qi

[–] A_norny_mousse@piefed.zip 0 points 1 day ago* (last edited 1 day ago)

Probably reinstall (all is supposed to be fixed as of over 12h ago). This time check the PKGBUILD and also whichever (git) repo the software is pulled from.
See if infected versions of npm packages atomic-lockfile and js-digest are installed.

See here: https://bbs.archlinux.org/viewtopic.php?id=313892