The account https://aur.archlinux.org/account/acarrasco is registered using the email [email protected], which seems to be based on a known fraudulent gmail account according to https://blog.castle.io/fraudulent-email-domain-tracker-july-2025/.
Could we run a check against the AUR DB for package adoption, to check if more packages have been snagged up by bots using generated email aliases? On Mon, Apr 13, 2026 at 2:08 AM Agustin Carrasco <[email protected]> wrote: > > Hello! > > I had originally created the > https://aur.archlinux.org/packages/hermes-agent-git package and then > eventually disowned it, because I stopped using it and had no intention of > maintaining it. > > I still got notifications tho, and today I got notified of a comment, went to > check it out of curiosity and noticed that a user "acarrasco" had picked it > up. > The thing is, Agustin Carrasco is my name, which makes me really suspicious > of this new maintainer; their user is also really new (same day I disowned it > I think) and the mail doesn't match the username. > > Honestly it looks like some kind of bot that picks up orphaned packages and > create a user based on the previous maintainer name or something like that. > Could be nothing but thought it was worth bringing it up. > > Agustin.-
