On Sat, 13 Jun 2026, at 8:31 PM, Edmund Lodewijks wrote: > Hallo! > > Reporting AUR package: caja-deja-dup-bzr > > Just found this one, a former package of mine that I apparently still > receive updates for: > > caja-deja-dup-bzr > <https://aur.archlinux.org/cgit/aur.git/log/?h=caja-deja-dup-bzr> > > Perhaps a script that checks all uploads via SSH / changes on disk, and > flags any addition of 'bun' etc? > > Kind regards, > Edmund > > > -- > Edmund Lodewijks <[email protected]> > TZ: UCT+2 / GMT+2 >
The malicious code in this is lightly obfuscated using string concatenation in the post install hook to avoid basic pattern matching using grep, etc. Is that new?
