Damus
sodiboo :pride_heart: profile picture
sodiboo :pride_heart:
@sodiboo :pride_heart:

​:pride_heart:​

I love programming, math, science, and linguistics

.NET shill turned Rust shill turned Nix shill

I'm the administrator and sole user of https://gaysex.cloud

I don't post media without alt text. I try not to boost posts with no alt text or with very unhelpful alt text.

follow requests MAY take a long time to process. this doesn't mean there's anything wrong with you, i'm just procrastinating. feel free to send a follow request.

read more at https://sodi.boo

Relays (1)
  • wss://relay.ditto.pub – read & write

Recent Notes

Soatok Dreamseeker · 1w
Soatok’s Informal Guide to Threat Models After a long day of exhausting conversations about Hybrid Post-Quantum Cryptography, random jackasses trying to play gotcha with endpoint attacks against e...
sodiboo :pride_heart: profile picture
@nprofile1q... i think the background image in this aside ends too early on a narrow screen (e.g. my mobile phone), and the white-on-white text that follows does not look particularly great. it looks fine in landscape orientation or in the desktop sized viewport.

sodiboo :pride_heart: profile picture
MANY ORPHANED AUR PACKAGES ARE BEING TARGETED WITH AN INFOSTEALER.

the Arch User Repository package alvr has been orphaned, then adopted by a threat actor who immediately updated it with an infostealer. If you have this package on your system and updated it recently, you've been compromised. This is not a result of any upstream compromise; it's just that one AUR package. in particular, the alvr-bin sister package seems to be fine.

here's the relevant thread for alvr from the Arch Linux mailing list. alvr seems to be the first package compromised and/or the first one that was noticed. it was updated maliciously at 2026-06-11 13:53:45 UTC (2026-06-11T13:53:45.000Z) and reverted approximately 3-4 hours after that.

SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE: 1, 2, 3, 4, 5

AUR mailing list megathread <-- over 400 (!!!!) packages have the malicious npm dependency

they all share in common that they will install the atomic-lockfile package from NPM (so, here's a live link to the actual malware. do not install that). they were all orphan takeovers. as far as i can tell, all of the ones i linked have been reverted to known safe versions. including alvr.

this is an infostealer, meaning it exfiltrates sensitive data from your system such as login credentials. removing the malware will not undo the damage. moreover, uninstalling the malicious package will not remove the malware because it persists as a systemd service that stays on your system indefinitely.

it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that simply installing the malicious versions of any of these packages will compromise you. it does not require you to do anything more afterwards. again, the malware persists if you uninstall the malicious packages

to check if you've been compromised, look in /etc/systemd/system and ~/.config/systemd/user for a recently added .service file with a random name. that's the persistence mechanism and the most obvious mark that you've been compromised.

---

Attached is a screenshot of an announcement from the "Linux VR Adventures" discord.

i know we all hate discord, but LVRA has a lot of auxiliary discussion, so here's an invite link

of special interest, here's a malware analysis thread. Feel free to follow it in real time, or contribute, or whatever. Whanos has produced a preliminary analysis blog post that contains a lot of important information about the malware.

David Amador · 21w
TIL that SSDs can lose data if left unplugged for long periods of time (only required to hold data up to 1 year), unlike HDDs which as long as the material holds it can take years. https://cdn.masto....
sodiboo :pride_heart: profile picture
@nprofile1q... it's great that your alt text has a transcription of the screenshotted text (thank you!), but the link at the end ought to be in your post body, not the image alt text. it's easy to miss because you don't mention the link and not everyone opens the alt text, but on some frontends it is difficult or impossible to select/copy from/open links in the alt text.