Malicious Atomic Arch NPM Campaign Thread (discuss.tchncs.de)

submitted 23 hours ago* (last edited 23 hours ago) by brokenwing@discuss.tchncs.de to c/linux@lemmy.ml

8 comments fedilink hide all child comments

Decided to create a thread for tracking and sharing the news and opinions on the new Malicious Atomic Arch NPM Campaign in which more than 1600 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit.

Find the infected packages: https://md.archlinux.org/s/SxbqukK6IA

Package        Popularity                Affected                 Reverted
libgdata           16.98% (2026-06-11 14:59+00:00) (2026-06-11 17:30+00:00)
python-future       5.38% (2026-06-11 15:58+00:00) (2026-06-11 16:54+00:00)
gdl                 3.36% (2026-06-11 13:35+00:00) (2026-06-11 17:32+00:00)
libquvi-scripts     2.31% (2026-06-11 15:05+00:00) (2026-06-11 17:33+00:00)
libquvi             2.22% (2026-06-11 15:04+00:00) (2026-06-11 17:33+00:00)
gtkimageview        2.19% (2026-06-11 13:44+00:00) (2026-06-11 17:33+00:00)
python2-pyparsing   2.02% (2026-06-11 14:23+00:00) (2026-06-11 17:40+00:00)
python2-appdirs     1.96% (2026-06-11 14:22+00:00) (2026-06-11 17:26+00:00)
compiler-rt19       1.95% (2026-06-11 14:23+00:00) (2026-06-11 17:30+00:00)
python2-packaging   1.90% (2026-06-11 14:21+00:00) (2026-06-11 17:38+00:00)
wine-nine           1.86% (2026-06-11 15:48+00:00) (2026-06-11 21:36+00:00)
clang19             1.86% (2026-06-11 15:36+00:00) (2026-06-11 21:24+00:00)
clang15             1.76% (2026-06-12 12:34+00:00) (2026-06-12 12:54+00:00)
mono-addins         1.69% (2026-06-11 15:33+00:00) (2026-06-11 21:34+00:00)
python2-chardet     1.68% (2026-06-12 12:42+00:00) (2026-06-12 14:48+00:00)
python-monotonic    1.55% (2026-06-11 15:43+00:00) (2026-06-11 21:37+00:00)
python2-cffi        1.47% (2026-06-12 12:44+00:00) (2026-06-12 15:10+00:00)
alvr                1.26% (2026-06-11 13:54+00:00) (2026-06-11 16:50+00:00)
python2-gobject     1.23% (2026-06-12 12:44+00:00) (2026-06-12 14:47+00:00)
vidcutter           1.03% (2026-06-11 13:24+00:00) (2026-06-11 17:43+00:00)

Learn more about the attack: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency.

top 8 comments

sorted by: hot top controversial new old

[-] brucethemoose@lemmy.world 14 points 22 hours ago

Reposting this for visibility:

https://github.com/lenucksi/aur-malware-check

It analyzes your pacman install history, and some other things, for a more accurate check. Very useful.

[-] jwt@programming.dev 1 points 13 hours ago

Not a dig at you or the script author, but I'm kinda miffed we're relegated to running some rando github user's bash scripts to check if we're affected. This is the direct opposite response one should have to this kind of attack. I feel the AUR maintainers should have been more forthcoming about what they are doing to stop the attack and how users can mitigate the consequences if affected.

[-] brucethemoose@lemmy.world 2 points 13 hours ago* (last edited 13 hours ago)

That was my immediate reaction, too. And “why did I only find out on Lemmy!?”

AUR is hosted on archlinux.org, after all.

…But to be fair, the AUR was always “use at your own risk.” Its PKGBuilds are supposed to be manual scripts, not automated with yay/paru. But still, it’s ultimately malware hosted on Arch Linux’s domain, though a huge security hole (the two week orphaned package thing).

Its possible my downstream distro (CachyOS) sent some kind of alert through pacman or published some utility, but I am away from my desktop until tonight, so I haven’t checked in a while.

[-] Tetsuo@jlai.lu 1 points 13 hours ago

How else would you have wanted to be warned ?

In my opinion that's the other side of the privacy coin.

What happens on my system is only for me to check. And in that case that means I'm on my own to be aware of its current state.

I mean the cachyos devs or the AUR maintainer have in some way by design no way to reach me. And creating some kind of malware monitoring or scanning tool included by default would be against the ethos of the OS...

So it's up to each user to determine if they want to use random scripts or just read the blog of their OS and do everything manually. There isn't an adequate universal solution there.

[-] brucethemoose@lemmy.world 1 points 13 hours ago* (last edited 13 hours ago)

Notifications for individual package updates do come through pacman. They could also put a checking tool into CachyOS Hello, which is shipped and pops up by default.

And I’ve definitely gotten “urgent” text notifications that all-but-required manual action through pacman.

I do generally agree with you though. The responsibility to pay attention is on the user with Arch. It’s part of the contract, and why it isn’t for everyone.

[-] Tetsuo@jlai.lu 1 points 10 hours ago* (last edited 10 hours ago)

They could also put a checking tool into CachyOS Hello, which is shipped and pops up by default.

What would this "checking tool" look like? What would it check?

I personally have deactivated the opening cachyos Hello a long time ago. Why would I need that popup once I setup everything?

And I’ve definitely gotten “urgent” text notifications that all-but-required manual action through pacman.

Pacman has no idea if it is installing something malicious. It notifies you only on functional actions that are required.

Basically, none of the suggestions you make would have avoided the AUR attack to work. Nor a future one?

The only thing I would maybe agree is for some notification system that let's the cachyos maintainers send an urgent message but that would mean they would have to sign that message in some way. If that signature verification ever fails someone could send malicious notifications to all cachyos users and that would create another threat.

And even then if the malicious package is noticed after a few days, if you already installed/updated it, it's too late. You could receive a notification giving guidelines to cleanup but that's too late. The infection could disable these notifications or worse.

And if you have an emergency notifications systems, is it a "pull" or "push" notification? Is it your computer that checks if there is a notification? How long between pulls? If that's a push then the notification servers basically has a full list of cachyos IPs which would suck too.

Sorry if I look nitpicky but I just want to illustrate that this is a very very complex problem to solve while respecting user privacy and "sovereignty" over their system. Supply chain attacks are extremely difficult to defend against and open source projects have increasingly numerous dependencies...

[-] brokenwing@discuss.tchncs.de 6 points 22 hours ago* (last edited 22 hours ago)

Analyzing the commit history of libdata, you can see the attacker pushed the malicious PKGBUILD on Jun 11, 2026 14.59 GMT. And it was reverted back to the previous commit on the same day, about 2.5 hours later, on Jun 11, 2026 at 17:30 GMT.

So it seems like if you updated the libgdata package during this period, your system might be affected.

Edit: Commit history: https://github.com/archlinux/aur/activity?ref=libgdata

[-] A_norny_mousse@piefed.zip 2 points 18 hours ago* (last edited 18 hours ago)

https://bbs.archlinux.org/viewtopic.php?id=313892

This helped me get an overview yesterday.

I made some comments, pointing out that some distros use the AUR in unintended ways, adding to its popularity but also making it easier for attackers to do shit like this.

Today I was told that this was "politics" between distros and really everybody should be able to use the AUR how they see fit.

That was a bit out there, but many people are hellbent on pushing the "company fucked up with tech security" narrative here.

this post was submitted on 14 Jun 2026

35 points (100.0% liked)

Linux

65744 readers

695 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz