Hi all, I may have found another one: [1].
Signed up only a few days ago and has adopted 15 packages. Example suspicious update: [2]. Post-install script contains 'bun add execa js-digest commander'. [1] https://aur.archlinux.org/account/erzsebetszabo [2] https://aur.archlinux.org/cgit/aur.git/commit/?h=milena-data&id=f579bb74da0875d43458ee31fdc76be8079c57c2 On 13/6/26 00:05, a821 wrote:
On Fri, Jun 12, 2026 at 03:03:37PM +0200, koraynilay wrote:welp, running git log --all --since="10 hours ago" -p -S js-digest --decorate=full | /bin/grep -Po '(?<=origin/).*(?=\))' yields ~900 packages[1], quickly skimming through the logs they all seem to be malicious like the last wave. I do see the number decreasing almost each time I run it, but I feel I should still send the latest list I got. These are 879 packages.[...] Wow, the number increased in a couple of hours since I initially posted. Now the malicious package is called lockfile-js (renamed from atomic-lockfile). [1] https://www.npmjs.com/package/lockfile-js
-- Frederick Zhang PGP: 8BFB EA5B 4C44 BFAC C8EC 5F93 1F92 8BE6 0D8B C11D
OpenPGP_signature.asc
Description: OpenPGP digital signature
