Hundreds of AUR packages compromised (lwn.net)
<p>Hundreds of orphaned packages hosted by the <a
href="https://aur.archlinux.org/">Arch User Repository</a> (AUR) have
been compromised by an attacker who has added a <a
href="https://www.npmjs.com/package/atomic-lockfile">malicious npm
package</a> (<tt>atomic-lockfile</tt>) that can exfiltrate sensitive
data. The project is currently <a
href="https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/">working
on</a> cleaning up the mess. There is a <a
href="https://gr.ht/aur_pkg_list.txt">list of affected packages</a>
and <a href="https://gaysex.cloud/notes/andaxow7itfn05x9">post</a> by
"sodiboo" with additional information. Arch Linux users (or users of
Arch-based distributions) that use AUR packages may wish to see if they
have installed any of the compromised updates.</p>
<p></p>
href="https://aur.archlinux.org/">Arch User Repository</a> (AUR) have
been compromised by an attacker who has added a <a
href="https://www.npmjs.com/package/atomic-lockfile">malicious npm
package</a> (<tt>atomic-lockfile</tt>) that can exfiltrate sensitive
data. The project is currently <a
href="https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/">working
on</a> cleaning up the mess. There is a <a
href="https://gr.ht/aur_pkg_list.txt">list of affected packages</a>
and <a href="https://gaysex.cloud/notes/andaxow7itfn05x9">post</a> by
"sodiboo" with additional information. Arch Linux users (or users of
Arch-based distributions) that use AUR packages may wish to see if they
have installed any of the compromised updates.</p>
<p></p>
Comments