this post was submitted on 13 Jun 2026
257 points (99.2% liked)

Technology

85420 readers
3944 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
257
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages (www.phoronix.com)
submitted 1 day ago by rafssunny@lemmy.zip to c/technology@lemmy.world
59 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] JakoJakoJako13@piefed.social 18 points 1 day ago (1 children)

Start here. https://bbs.archlinux.org/viewtopic.php?id=313892

AUR, the Arch User Repository is under an attack. The attack vector is any orphaned package that doesn't have a current maintainer. Those packages are being taken over by a malicious group. https://redlib.catsarch.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/ If a package maintainer quits/leaves/abandons a project, anybody can take control of the package if there's been no maintainer for a certain period of time. What we're learning now is that this process could be automated and done en masse. They're modifying PKGBUILD files to use a java script installer like npm, bun, yarn, nodejs to shove malware onto a system. So if you have a package that's marked as infected and you've updated your PC using an AUR helper like yay or paru during this time without checking the PKGBUILD you could be in trouble.

What users are advised to do is not update any AUR packages until otherwise noted. Scan your systems for any packages where the PKGBUILD reports installing an atomic-lockfile, js-digest file through npm, bun, nodejs, yarn and the like. Delete those packages.

The number of infected packages has gone from 400 to 600 to 1500 in a matter of hours last night. The AUR team has been on top of it almost the moment it got recognized. The AUR has well over 100,000 packages. Last night another user ran some numbers and at the time 718 infected packages had no users at all. The most popular package is an old Gnome dependency libgdata that was dropped years ago but could still be on systems. There's a lot of old packages using ancient python2 deps that look to be infected as well. https://redlib.catsarch.com/r/archlinux/comments/1u4fzea/according_to_pkgstats_these_are_the_most_popular/ list of infected packages https://md.archlinux.org/s/SxbqukK6IA Seems like this was caught because old maintainers started getting emails about package updates to old projects they were on. Those OGs sprung into action.

[โ€“] A_norny_mousse@piefed.zip 2 points 1 day ago* (last edited 1 day ago)

Thanks. The forum thread's beginning suggests a concerted effort around adding the line npm install atomic-lockfile to repos.

Searching for that I quickly found this: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency and related articles.

Then it seems to change to 'bun' and 'js-digest': bun add figures debug js-digest

Apparently both atomic-lockfile and js-digest are upstream npm/javascript packages that have been infected with datamining malware.

BTW, admins reported as of 12h ago it's all cleaned up.