On 6/11/26 3:50 PM, Mark Wagie wrote:
A new Maintainer adopted gnome-randr-rust and added an install file with the
following:
npm install atomic-lockfile yargs
https://aur.archlinux.org/cgit/aur.git/commit/?h=gnome-randr-rust&id=da9f4cf2d470bd603968ef605736285a2e0c8880
Thanks, the offending commit was da9f4cf2d470bd603968ef605736285a2e0c8880, I've
rolled back the repository to the previous commit
d6801693e68e13267e33bb34080b6fa7f057c850.
Another moderator already suspended the user.
The pattern is always the same, `npm install something` in post_install which in
turn has a package.json with (the exact path varies):
```
[...]
"scripts": {
[...]
"preinstall": "./src/hooks/deps",
[...]
},
[...]
```
Which is an ELF executable.
I've also notified npmjs.com that atomic-lockfile is malware.
Thanks for the report, very much appreciated.
kpcyrd