Hi all,

I may have found another one: [1].

Signed up only a few days ago and has adopted 15 packages. Example
suspicious update: [2]. Post-install script contains 'bun add execa
js-digest commander'.

[1] https://aur.archlinux.org/account/erzsebetszabo
[2] 
https://aur.archlinux.org/cgit/aur.git/commit/?h=milena-data&id=f579bb74da0875d43458ee31fdc76be8079c57c2

On 13/6/26 00:05, a821 wrote:
On Fri, Jun 12, 2026 at 03:03:37PM +0200, koraynilay wrote:
welp, running
git log --all --since="10 hours ago" -p -S js-digest --decorate=full | /bin/grep 
-Po '(?<=origin/).*(?=\))'
yields ~900 packages[1], quickly skimming through the logs they all seem
to be malicious like the last wave.

I do see the number decreasing almost each time I run it, but I feel I
should still send the latest list I got.
These are 879 packages.

[...]

Wow, the number increased in a couple of hours since I initially posted.

Now the malicious package is called lockfile-js (renamed from
atomic-lockfile).

[1] https://www.npmjs.com/package/lockfile-js

--
Frederick Zhang

PGP: 8BFB EA5B 4C44 BFAC C8EC 5F93 1F92 8BE6 0D8B C11D

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to