I got an AUR notification this morning that a package I originally created
many years ago had been taken over since it had gone orphaned. I can see
from the diff that it's also a victim of the bun attack...

- qscite


Thanks for making a place to report these centrally.

-Jared

On Fri, Jun 12, 2026, 9:26 AM Mario Finelli <[email protected]> wrote:

>
> On 6/11/26 19:47, Jonathan Grotelüschen wrote:
> > Hi everyone,
> >
> > we’re working hard to reset/delete all malicious commits and ban the
> > accounts.
> >
> > If you find more malicious packages, please **send them as a reply to
> > this email** to keep them all in one thread.
>
> Hi more packages infected with the new bun js-digest attack:
>
> - ruby-oauth
> - ruby-activerecord
> - ruby-activemodel
> - ruby-thread_safe
>
> They all use different AUR accounts which I assume are all malicious as
> well.
>
> Thanks for cleaning this up!
>
> >
> > Thanks!
> >
> > --
> > tippfehlr
>
> Cheers,
> Mario
>

Reply via email to