I got an AUR notification this morning that a package I originally created many years ago had been taken over since it had gone orphaned. I can see from the diff that it's also a victim of the bun attack...
- qscite Thanks for making a place to report these centrally. -Jared On Fri, Jun 12, 2026, 9:26 AM Mario Finelli <[email protected]> wrote: > > On 6/11/26 19:47, Jonathan Grotelüschen wrote: > > Hi everyone, > > > > we’re working hard to reset/delete all malicious commits and ban the > > accounts. > > > > If you find more malicious packages, please **send them as a reply to > > this email** to keep them all in one thread. > > Hi more packages infected with the new bun js-digest attack: > > - ruby-oauth > - ruby-activerecord > - ruby-activemodel > - ruby-thread_safe > > They all use different AUR accounts which I assume are all malicious as > well. > > Thanks for cleaning this up! > > > > > Thanks! > > > > -- > > tippfehlr > > Cheers, > Mario >
