On 2026-06-12 16:16, Agamjot Singh wrote:
Another temporary solution (specifically for the current situation
involving atomic-lockfile npm package):
regex npm/pnpm install atomic-lockfile
in the PKGBUILD and holding all such commits.
The regex list can then be updated manually by moderators as other
methods
of malware distribution get discovered.
Circumventing such list is faster and easier than reacting and updating
it to contain new patterns. The "payloads" are at least human readable
for now...
MW