Hi,

I also just received a notification that a package I manage has been taken over:

> The package tllocalmgr-git [1] was adopted by slavicanaf [2].
>
> [1] https://aur.archlinux.org/pkgbase/tllocalmgr-git/
> [2] https://aur.archlinux.org/account/slavicanaf/

So far no commits have been added.

Thank you guys for your efforts!

Cheers,
Hans

On 12.06.26 3:29 PM, Jared Sutton wrote:
I got an AUR notification this morning that a package I originally created many years ago had been taken over since it had gone orphaned. I can see from the diff that it's also a victim of the bun attack...

- qscite


Thanks for making a place to report these centrally.

-Jared

On Fri, Jun 12, 2026, 9:26 AM Mario Finelli <[email protected] <mailto:[email protected]>> wrote:


    On 6/11/26 19:47, Jonathan Grotelüschen wrote:
     > Hi everyone,
     >
     > we’re working hard to reset/delete all malicious commits and ban the
     > accounts.
     >
     > If you find more malicious packages, please **send them as a
    reply to
     > this email** to keep them all in one thread.

    Hi more packages infected with the new bun js-digest attack:

    - ruby-oauth
    - ruby-activerecord
    - ruby-activemodel
    - ruby-thread_safe

    They all use different AUR accounts which I assume are all malicious as
    well.

    Thanks for cleaning this up!

     >
     > Thanks!
     >
     > --
     > tippfehlr

    Cheers,
    Mario


Reply via email to