On Thu, Jun 11, 2026 at 07:47:05PM +0200, Jonathan Grotelüschen wrote:
> Hi everyone,
> 
> we’re working hard to reset/delete all malicious commits and ban the
> accounts.
> 
> If you find more malicious packages, please **send them as a reply to this
> email** to keep them all in one thread.
 
There's another attack currently ongoing it seems. Some users have
already requested deletion for them

These packages attempt to install the npm package 'js-digest' which is
flagged as malicious [1].

# run from Github's AUR mirror
$ git log --all -S js-digest --oneline

224a6d4b0a5d (atomicwalllet) Update dependencies
4191bf8baa5c (atomicwalet) sync (atomicwalet)
63e19a12fc27 (exodas) Fix source
27d23d8fcb8b (exoduz) upgpkg
ef470996b936 (exodys) Add missing deps (exodys)
064cfe60c7be (exodis) updpkgsums
bb93e7f2ac6a (exodud) Bump pkgrel
946a5ba56245 (exouds) rebuild
bd1b18f058f6 (exodux) add deps (exodux)
0c97f4f83a95 (exoduss) Add missing deps

[1] https://socket.dev/npm/package/js-digest

Reply via email to