Hi,
I also just received a notification that a package I manage has been
taken over:
> The package tllocalmgr-git [1] was adopted by slavicanaf [2].
>
> [1] https://aur.archlinux.org/pkgbase/tllocalmgr-git/
> [2] https://aur.archlinux.org/account/slavicanaf/
So far no commits have been added.
Thank you guys for your efforts!
Cheers,
Hans
On 12.06.26 3:29 PM, Jared Sutton wrote:
I got an AUR notification this morning that a package I originally
created many years ago had been taken over since it had gone orphaned. I
can see from the diff that it's also a victim of the bun attack...
- qscite
Thanks for making a place to report these centrally.
-Jared
On Fri, Jun 12, 2026, 9:26 AM Mario Finelli <[email protected]
<mailto:[email protected]>> wrote:
On 6/11/26 19:47, Jonathan Grotelüschen wrote:
> Hi everyone,
>
> we’re working hard to reset/delete all malicious commits and ban the
> accounts.
>
> If you find more malicious packages, please **send them as a
reply to
> this email** to keep them all in one thread.
Hi more packages infected with the new bun js-digest attack:
- ruby-oauth
- ruby-activerecord
- ruby-activemodel
- ruby-thread_safe
They all use different AUR accounts which I assume are all malicious as
well.
Thanks for cleaning this up!
>
> Thanks!
>
> --
> tippfehlr
Cheers,
Mario