Hello,

Commits from new AUR user meryemplath seem to be malicious.

I disowned the pypiserver package yesterday. meryemplath took ownership today 
and immediately pushed a commit impersonating me, adding a malicious 
post-install script. It installs atomic-lockfile, a NPM package that executes a 
binary blob as post-install script. There is no reason NPM should be a 
dependency for pypiserver.

I haven't fully analyzed atomic-lockfile's binary blob, but it contains 
references to private data e.g. 
.local/share/TelegramDesktop/tdatasnap/telegram-desktop/current/.local/share/TelegramDesktop/tdata,
 so I'm assuming this is an exfiltration attempt.

Affected packages:

- pypiserver (previously maintained by me)
- python-dbapi-compliance (previously maintained by Felix Yan)
- anythingllm-cli-bin (previously maintained by Julian Corbet)

Cheers,
Ilaï

Reply via email to