This is almost certainly malicious.

If randomly installing NPM wasn't enough of a smoking gun, the atomic-lockfile 
package on NPM was only uploaded yesterday and points to a GitHub user and repo 
that doesn't exist.

On Thu, 11 Jun 2026, at 2:50 PM, Mark Wagie wrote:
> A new Maintainer adopted gnome-randr-rust and added an install file with the 
> following:
> 
> npm install atomic-lockfile yargs
> 
> https://aur.archlinux.org/cgit/aur.git/commit/?h=gnome-randr-rust&id=da9f4cf2d470bd603968ef605736285a2e0c8880
> 

Reply via email to