This is almost certainly malicious. If randomly installing NPM wasn't enough of a smoking gun, the atomic-lockfile package on NPM was only uploaded yesterday and points to a GitHub user and repo that doesn't exist.
On Thu, 11 Jun 2026, at 2:50 PM, Mark Wagie wrote: > A new Maintainer adopted gnome-randr-rust and added an install file with the > following: > > npm install atomic-lockfile yargs > > https://aur.archlinux.org/cgit/aur.git/commit/?h=gnome-randr-rust&id=da9f4cf2d470bd603968ef605736285a2e0c8880 >
