278
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages
(www.phoronix.com)
I use Debian btw
this post was submitted on 13 Jun 2026
278 points (99.3% liked)
Technology
85503 readers
5160 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
I've seen AUR warned against often, also by Arch team members.
I never thought it was a huge deal, but apparently anything that can be attacked will be attacked nowadays.
This is what happens when a shit load of packages that just sit around basically unmaintained are allowed to sit around.
Maybe injecting the infections made it look like they were maintained? 😋
I start to wonder if we need something sitting between extra and aur, few more trusted maintainers and well secured update process that’s more than the aur Wild West
Also, some sort of yay hook to do some scanning for suspicious diffs and warning or skipping those packages…
I don’t want / need a system where I can blindly update everything, but something to help me avoid having to visually check every package diff would be nice
Yes that would be nice, but I'm not sure that is possible.
Their first option is possible for sure. Just something like the AUR, but that you need a proven record (either on the AUR or on something else) to post. That shouldn't be too hard.
I feel like this could be a use for LLMs that isn’t slop. It’s not going to catch everything of course but I imagine it would be a whole lot better than nothing
Yeah if your machine can be added to a botnet then it will be. Resistance is futile, we are Borg style.
We're currently at 1621.
I'm still missing any sort of in-depth info about all this.
Start here. https://bbs.archlinux.org/viewtopic.php?id=313892
AUR, the Arch User Repository is under an attack. The attack vector is any orphaned package that doesn't have a current maintainer. Those packages are being taken over by a malicious group. https://redlib.catsarch.com/r/archlinux/comments/1u3tn4e/tons_of_new_infected_aur_packages_were_just/ If a package maintainer quits/leaves/abandons a project, anybody can take control of the package if there's been no maintainer for a certain period of time. What we're learning now is that this process could be automated and done en masse. They're modifying PKGBUILD files to use a java script installer like npm, bun, yarn, nodejs to shove malware onto a system. So if you have a package that's marked as infected and you've updated your PC using an AUR helper like yay or paru during this time without checking the PKGBUILD you could be in trouble.
What users are advised to do is not update any AUR packages until otherwise noted. Scan your systems for any packages where the PKGBUILD reports installing an atomic-lockfile, js-digest file through npm, bun, nodejs, yarn and the like. Delete those packages.
The number of infected packages has gone from 400 to 600 to 1500 in a matter of hours last night. The AUR team has been on top of it almost the moment it got recognized. The AUR has well over 100,000 packages. Last night another user ran some numbers and at the time 718 infected packages had no users at all. The most popular package is an old Gnome dependency libgdata that was dropped years ago but could still be on systems. There's a lot of old packages using ancient python2 deps that look to be infected as well. https://redlib.catsarch.com/r/archlinux/comments/1u4fzea/according_to_pkgstats_these_are_the_most_popular/ list of infected packages https://md.archlinux.org/s/SxbqukK6IA Seems like this was caught because old maintainers started getting emails about package updates to old projects they were on. Those OGs sprung into action.
Thanks. The forum thread's beginning suggests a concerted effort around adding the line npm install atomic-lockfile to repos.
Searching for that I quickly found this: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency and related articles.
Then it seems to change to 'bun' and 'js-digest': bun add figures debug js-digest
Apparently both atomic-lockfile and js-digest are upstream npm/javascript packages that have been infected with datamining malware.
BTW, admins reported as of 12h ago it's all cleaned up.
load more comments
(5 replies)
What to do if I found a package I installed to be in that list? libgdata to be specific?
Edit: Seems that the libgdata package was last installed on March 05.
Have a check if you updated it recently (PKGBUILD history, about June 10-12). If not you're fine.
If:
- Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys
- Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit (E: It's supposed to be an eBPF rootkit)
Personally I would reset everything if I got anything, to kill both any infection and my paranoia. Then reset credentials.
Was it installed from the aur? If not, you're fine
libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn't remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you'd inadvertently update libgdata from an AUR source if you're using an AUR helper.
Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.
Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the /var/log/pacman. You can see them like this,
grep "package_name" /var/log/pacman
For yay installed packages you can see they are getting installed from ~/.config/yay/package_name. But for my libgdata, it simply says [ALPM] installed libgdata (0.18.1-5).
Sounds like you got lucky. libgdata was part of the second round of attacks and was quickly reverted. It's likely you're running the last official release.
You can also check the build/install date of a package with pacman -Qi
load more comments
(1 replies)
A couple of weeks ago, some dingbat of an AUR admin orphaned a package of mine, ignoring the comment I left on it and my post to the mailing list.
Even though this package, to my knowledge, didn’t end up being attacked, I wonder if this was a potential precursor to the recent attack…
load more comments
(2 replies)
I got a notification about a package that changed the maintainer that looks rather suspicious to me... So i would still be careful...
https://aur.archlinux.org/account/svantehedlund
That user doesn't seem to be blocked... So there might still be more going on.
Very normal looking. /s
Thank god they're only niche packages, right?
Does anyone know if the NixOS packages are safer from these types of attacks? As far as I know many packages are missing maintainers.
I read a reddit thread about this.
Basically they are significantly safer because the review process is tedious and the PRs take ages to get reviewed. More over the read-only nature of the nix store make most of those techniques useless. You cannnot just take over packages the AUR way.
Moreover, if you use third party nix flakes, you are still safer because they are tied to a specific github repo, so if it gets forked by malicious actor you won't get that update.
However you are still prone to upstream malware. That is nixpkgs probably won't add malware but it could be there before packaging.
Yesterday that was 400 packages, now it's 1500.
Tomorrow 3000 ?
"I use arch btw" lmao
Arch and AUR are not really the same. To be fair AUR is the fanfiction version that fits inside the story. But you have to purposely work to use it. So it's not Arch that was compromised.
load more comments
(2 replies)
I use AUR BTW!
lmao
view more: next ›