Hello, Commits from new AUR user meryemplath seem to be malicious.
I disowned the pypiserver package yesterday. meryemplath took ownership today and immediately pushed a commit impersonating me, adding a malicious post-install script. It installs atomic-lockfile, a NPM package that executes a binary blob as post-install script. There is no reason NPM should be a dependency for pypiserver. I haven't fully analyzed atomic-lockfile's binary blob, but it contains references to private data e.g. .local/share/TelegramDesktop/tdatasnap/telegram-desktop/current/.local/share/TelegramDesktop/tdata, so I'm assuming this is an exfiltration attempt. Affected packages: - pypiserver (previously maintained by me) - python-dbapi-compliance (previously maintained by Felix Yan) - anythingllm-cli-bin (previously maintained by Julian Corbet) Cheers, Ilaï
