On 4/13/26 8:55 AM, Christoph Gysin wrote:
The account https://aur.archlinux.org/account/acarrasco is registered using the email [email protected], which seems to be based on a known fraudulent gmail account according to https://blog.castle.io/fraudulent-email-domain-tracker-july-2025/.Could we run a check against the AUR DB for package adoption, to check if more packages have been snagged up by bots using generated email aliases? On Mon, Apr 13, 2026 at 2:08 AM Agustin Carrasco <[email protected]> wrote:Hello! I had originally created the https://aur.archlinux.org/packages/hermes-agent-git package and then eventually disowned it, because I stopped using it and had no intention of maintaining it. I still got notifications tho, and today I got notified of a comment, went to check it out of curiosity and noticed that a user "acarrasco" had picked it up. The thing is, Agustin Carrasco is my name, which makes me really suspicious of this new maintainer; their user is also really new (same day I disowned it I think) and the mail doesn't match the username. Honestly it looks like some kind of bot that picks up orphaned packages and create a user based on the previous maintainer name or something like that. Could be nothing but thought it was worth bringing it up. Agustin.-
Hello, Thanks for the report!The account has been banned and the package will be orphaned so someone else can pick it up.
-- Regards, Robin Candau / Antiz
OpenPGP_0xFDC3040B92ACA748.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
