Hi Fariss
Hi Arch Team,
Flagging an active coordinated supply-chain attack against the AUR
observed on *2026-05-16 / 2026-05-17*. Three packages were adopted by
three single-package burner accounts using |@onionmail.org| addresses,
and the very first commit on each pushed an identical payload.
Thank you for your report about these malwares.
The following packages have been reverted to the previous state,
deleting the malicious extra dependencies and the owner accounts have
been banned:
* mod_python (deleted package)
* gnome-vfs
* multibootusb
* nss-hg
* expressvpn
* atomicwallet-bin (package deleted after history rewrite)
* exodus-bin (package deleted after history rewrite)
Additionally the following packages were removed as they appeared
compromised in the past months:
* tonkeeper-wallet-bin
* phantom-wallet-bin
* solflare-wallet-bin
Please report any newly observed compromised package ASAP.
Best regards
--
Muflone
