Login
You're viewing the mstdn.social public feed.
  • Jun 11, 2026, 8:23 PM
    retooted sodiboo :pride_heart:

    MANY ORPHANED AUR PACKAGES ARE BEING TARGETED WITH AN INFOSTEALER. official statement (fediverse discussion)

    collection of detection scripts

    the Arch User Repository package
    alvr has been orphaned, then adopted by a threat actor who immediately updated it with an infostealer. If you have this package on your system and updated it recently, you've been compromised. This is not a result of any upstream compromise; it's just that one AUR package. in particular, the alvr-bin sister package seems to be fine.

    here's the relevant thread for alvr from the Arch Linux mailing list. alvr seems to be the first package compromised and/or the first one that was noticed. it was updated maliciously at 2026-06-11 13:53:45 UTC (2026-06-11T13:53:45.000Z) and reverted approximately 3-4 hours after that.

    SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE:
    1, 2, 3, 4, 5

    AUR mailing list megathread <-- over 400 (!!!!) packages have the malicious npm dependency

    here is a list of many of the affected packages

    they all share in common that they will install a malicious package from NPM. they were all orphan takeovers. most of the ones that we have noticed were reverted to known safe versions. but the attack is still ongoing in new waves! more orphaned packages are getting compromised constantly!

    at first, they did
    npm install atomic-lockfile, and then that package got pulled at the same time as they noticed we could grep for npm install, so the attacker switched to bun add js-digest and also lockfile-js. now both of those packages have been taken down, and they know we can grep for bun add, so the newest wave contains obfuscated commands like 'b''u''n' 'a'"d""d" with string escapes. as of this edit, one malicious npm package is nextfile-js, published 20 minutes ago.

    all of these npm packages contain an
    infostealer, meaning it exfiltrates sensitive data from your system such as browser cookies, discord tokens, ssh keys, and container registry logins. removing the malware will not undo the damage; the attacker now has all your credentials. moreover, uninstalling the malicious package will not remove the malware because it persists as a systemd service that stays on your system indefinitely.

    it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that
    simply installing the malicious versions of any of these packages will compromise you. it does not require you to do anything more afterwards. again, the malware persists if you uninstall the malicious packages

    to check if you've been compromised, look in
    /etc/systemd/system and ~/.config/systemd/user for a recently added .service file with a random name. that's the persistence mechanism and the most obvious mark that you've been compromised.

    ---

    Attached is a screenshot of an announcement from the "Linux VR Adventures" discord.

    i know we all hate discord, but LVRA has a lot of auxiliary discussion, so
    here's an invite link. (or at least, it had a lot of relevant discussion when the news broke and this post was much shorter; it's mostly quiet now as we realized the scope goes way beyond VR. this post is also now more complete than it was)

    of special interest,
    here's a malware analysis thread. Feel free to follow it in real time, or contribute, or whatever. Whanos has produced a preliminary analysis blog post that contains a lot of important information about the malware.

    💬 18🔄 275⭐ 3