https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/?noscript
orphaned AUR packages got taken over to spread credential stealer malware in npm atomic lockfile. if you have not updated AUR in ~3 days or more you should be fine either way
imperfect script to check for compromise:
https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992
echo "Affected Packages Found:"; comm -12 <(pacman -Qqm | sort) <(curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }
find malicious file in AUR helper log:
grep -r atomic-lockfile ~/.cache/yay
grep -r atomic-lockfile ~/.cache/paru
orphaned AUR packages got taken over to spread credential stealer malware in npm atomic lockfile. if you have not updated AUR in ~3 days or more you should be fine either way
imperfect script to check for compromise:
https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992
echo "Affected Packages Found:"; comm -12 <(pacman -Qqm | sort) <(curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }
find malicious file in AUR helper log:
grep -r atomic-lockfile ~/.cache/yay
grep -r atomic-lockfile ~/.cache/paru
2
