On Thu, Jun 11, 2026 at 07:47:05PM +0200, Jonathan Grotelüschen wrote: > Hi everyone, > > we’re working hard to reset/delete all malicious commits and ban the > accounts. > > If you find more malicious packages, please **send them as a reply to this > email** to keep them all in one thread. There's another attack currently ongoing it seems. Some users have already requested deletion for them
These packages attempt to install the npm package 'js-digest' which is flagged as malicious [1]. # run from Github's AUR mirror $ git log --all -S js-digest --oneline 224a6d4b0a5d (atomicwalllet) Update dependencies 4191bf8baa5c (atomicwalet) sync (atomicwalet) 63e19a12fc27 (exodas) Fix source 27d23d8fcb8b (exoduz) upgpkg ef470996b936 (exodys) Add missing deps (exodys) 064cfe60c7be (exodis) updpkgsums bb93e7f2ac6a (exodud) Bump pkgrel 946a5ba56245 (exouds) rebuild bd1b18f058f6 (exodux) add deps (exodux) 0c97f4f83a95 (exoduss) Add missing deps [1] https://socket.dev/npm/package/js-digest
