Those packages are likely compromised (all from a malicious user charlottedurand <https://aur.archlinux.org/account/charlottedurand>):
python-poetry-plugin-dotenv iceweasel firefox-esr-globalmenu python-pylsp-rope cardano-node-bin git-open nitrogen-git nem-wallet minify-js-bin minichrome mingw-w64-laz-perf mdbook-compress masari linux-cachyos-deckify-native linux-cachyos-deckify-native-headers librewolf-extension-protonpass-bin librewolf-extension-duckduckgo-privacy-essentials kristforge-bin kmorph just-js-completion js-design-appimage js-design-agent-bin jade-application-kit gutenpy gobyte-qt gminer-bin fontfinder firefox-librejs firefox-floccus firefox-esr-ublock-origin firefox-esr-noscript firefox-babble fifth-git felinks-python ethlint-git esteem-bin emerald-wallet-bin elixirscript elements-project-bin elements-project edfbrowser-git deno-git cxo curecoind-git ctjs-bin create-next-app concordium-node-bin concordium-desktop-wallet-testnet-bin concordium-desktop-wallet-bin concordium-desktop-wallet-appimage code-notes-bin cl-javascript certbox-bin catalyst5-browser carto-sql-api cardano-wallet cardano-addresses camunda-modeler-plugin-bpmn-js-token-simulation caja-deja-dup-bzr btdex-git browserpass-git browserpass-cachy-browser bonsai-browser On Sat, Jun 13, 2026, at 21:36, Joshua Arnott wrote: > On Sat, 13 Jun 2026, at 8:31 PM, Edmund Lodewijks wrote: >> Hallo! >> >> Reporting AUR package: caja-deja-dup-bzr >> >> Just found this one, a former package of mine that I apparently still >> receive updates for: >> >> caja-deja-dup-bzr >> <https://aur.archlinux.org/cgit/aur.git/log/?h=caja-deja-dup-bzr> >> >> Perhaps a script that checks all uploads via SSH / changes on disk, and >> flags any addition of 'bun' etc? >> >> Kind regards, >> Edmund >> >> >> -- >> Edmund Lodewijks <[email protected]> >> TZ: UCT+2 / GMT+2 >> > > The malicious code in this is lightly obfuscated using string concatenation > in the post install hook to avoid basic pattern matching using grep, etc. Is > that new? Benoît Zugmeyer
