Hundreds of AUR packages compromised
Date:
Fri, 12 Jun 2026 13:41:22 +0000
Description:
Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have been compromised by an attacker who has added a malicious npm
package ( atomic-lockfile ) that can exfiltrate sensitive
data. The project is currently working
on cleaning up the mess. There is a list of affected packages and post by "sodiboo" with additional information. Arch Linux users (or users of
Arch-based distributions) that use AUR packages may wish to see if they
have installed any of the compromised updates.
======================================================================
Link to news story:
https://lwn.net/Articles/1077718/
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)