惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
T
Threatpost
WordPress大学
WordPress大学
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
PCI Perspectives
PCI Perspectives
T
The Exploit Database - CXSecurity.com
Y
Y Combinator Blog
雷峰网
雷峰网
爱范儿
爱范儿
The Hacker News
The Hacker News
Last Week in AI
Last Week in AI
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
S
Securelist
宝玉的分享
宝玉的分享
L
LangChain Blog
O
OpenAI News
AI
AI
P
Privacy International News Feed
L
LINUX DO - 最新话题
D
DataBreaches.Net
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
M
MIT News - Artificial intelligence
Security Archives - TechRepublic
Security Archives - TechRepublic
月光博客
月光博客
博客园 - 【当耐特】
T
Tailwind CSS Blog
C
Cybersecurity and Infrastructure Security Agency CISA
H
Help Net Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园_首页
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
Jina AI
Jina AI
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
Webroot Blog
Webroot Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Blog — PlanetScale
Blog — PlanetScale
MyScale Blog
MyScale Blog
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog

Hacker News: Best

madhadron - The seven programming ur-languages GitHub - smol-machines/smolvm: Tool to build & run portable, lightweight, self-contained virtual machines. I Measured Claude 4.7's New Tokenizer. Here's What It Costs You. Introducing Claude Design by Anthropic Labs It Is Time to Ban the Sale of Precise Geolocation The creative software industry has declared war on Adobe Isaac Asimov: The Last Question Newly unsealed records reveal Amazon’s price-fixing tactics, California attorney general claims Clojure - Documentary Android CLI and skills: Build Android apps 3x faster using any agent Qwen3.6-35B-A3B on my laptop drew me a better pelican than Claude Opus 4.7 Codex for almost everything Introducing Claude Opus 4.7 Qwen Studio The Future of Everything is Lies, I Guess: Where Do We Go From Here? Virginia Bans Sale of Geolocation Data YouTube now lets you turn off Shorts Burgers | マクドナルド公式 ChatGPT for Excel Ask HN: Who is using OpenClaw? Live Nation illegally monopolized ticketing market, jury finds Google Broke Its Promise to Me. Now ICE Has My Data. Open Source Isn't Dead. The Future of Everything is Lies, I Guess: New Jobs Unexpected €54k billing spike in 13 hours: Firebase browser key without API restrictions used for Gemini requests IPv6 – Google Your Backpack Got Worse On Purpose Good sleep, good learning, good life Fixing a 20-year-old bug in Enlightenment E16. Does Gas Town 'steal' usage from users' LLM credits & paid services to improve itself? Tell HN: Fiverr left customer files public and searchable Cybersecurity Looks Like Proof of Work Now Getting the Flock out Release OpenSSL 4.0.0 · openssl/openssl Internet será irrespirable los días de fútbol y otros deportes. Telefónica extiende los bloqueos a Champions, tenis y golf. Automate work with routines - Claude Code Docs The Future of Everything is Lies, I Guess: Work Thousands of rare concert recordings are landing on the Internet Archive — listen now What is jj and why should I care? Backblaze has quietly stopped backing up your data Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings Codex Hacked a Samsung TV The Future of Everything is Lies, I Guess: Safety GitHub - sterlingcrispin/nothing-ever-happens: Polymarket bot that buys "No" on all non-sports markets. For entertainment only, mostly a meme. Make tmux Pretty and Usable - Ham Vocke Microsoft isn't removing Copilot from Windows 11, it's just renaming it Servo is now available on crates.io - Servo aims to empower developers with a lightweight, high-performance alternative for embedding web technologies in applications. We May Be Living Through the Most Consequential Hundred Days in Cyber History, and Almost Nobody Has Noticed All elementary functions from a single binary operator 奈拜提耶市 Seven countries now generate 100% of their electricity from renewable energy Pro Max 5x Quota Exhausted in 1.5 Hours Despite Moderate Usage Tell HN: docker pull fails in spain due to football cloudflare block Bring Back Idiomatic Design @adlrocha - How the "AI Loser" may end up winning Apple update turns Czech mate for locked-out iPhone user Cache TTL silently regressed from 1h to 5m around early March 2026, causing quota and cost inflation The peril of laziness lost AI Will Be Met With Violence, and Nothing Good Will Come of It Center for Responsible, Decentralized Intelligence at Berkeley The disturbing white paper Red Hat is trying to erase from the internet – OSnews The Future of Everything is Lies, I Guess: Annoyances 447 Terabytes per Square Centimetre at Zero Retention Energy: Non-Volatile Memory at the Atomic Scale on Fluorographane Show HN: Pardonned.com – A searchable database of US Pardons 20 Years on AWS and Never Not My Job Artemis II crew splashes down near San Diego after historic moon mission Molotov Cocktail Is Hurled at Home of Sam Altman, OpenAI’s CEO France to ditch Windows for Linux to reduce reliance on US tech On filing the corners off my MacBooks Installing every* Firefox extension Chimpanzees in Uganda locked in vicious 'civil war', say researchers linux/Documentation/process/coding-assistants.rst at master · torvalds/linux GitHub - callumlocke/json-formatter: Makes JSON easy to read. A compelling title that is cryptic enough to get you to take action on it GitHub - Keychron/Keychron-Keyboards-Hardware-Design: Industrial design files for Keychron keyboards and mice. 100+ models with CAD assets in STEP, DXF, DWG, and PDF. Source-available, with commercial use allowed for original compatible accessories within the license terms. [ANNOUNCE] WireGuardNT v0.11 and WireGuard for Windows v0.6 Released 1D-Chess Helium Is Hard to Replace FBI used iPhone notification data to retrieve deleted Signal messages Microsoft suspends dev accounts for high-profile open source projects Why you can’t trust Privacy & Security Serenity Forge (@serenityforge.com) A new trick brings stability to quantum operations OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Netflix Prices Went Up Again – I Bought a DVD Player Instead DOJ Wants to Scrap Watergate-Era Rule That Makes Presidential Records Public EFF is Leaving X How NASA built Artemis II’s fault-tolerant computer Meta removes ads for social media addiction litigation How Pizza Tycoon simulated traffic on a 25 MHz CPU Claude mixes up who said what, and that's not OK Reallocating $100/Month Claude Code spend to Zed and OpenRouter Help Keep Thunderbird Alive! Why Are Flock Employees Watching Our Children? The Pentagon Threatened Pope Leo XIV’s Ambassador With the Avignon Papacy Fragments: April 2 Native Instant Space Switching on MacOS Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% God sleeps in the minerals Apple Silicon and Virtual Machines: Beating the 2 VM Limit
400+ AUR Packages Compromised with Infostealer and Rootkit
mttaggart (Taggart) · 2026-06-12 · via Hacker News: Best

Last Updated: 2026-06-12T19:14:16Z

What’s Happening

It appears a new AUR package maintainer impersonating a trusted maintainer adopted and infected 408+ packages. The compromise was reported and other AUR maintainers have been working to remove the infected packages.

As of 2026-06-12T17:30:00Z, the AUR maintainers believe they have removed all malicious commits.

They have also decided to implement some controls and limitations on functionality, including adopting packages.

The attack included at least two separate malicious dependencies.

The initial affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload.

Here’s an example of the change:

Further infections used Bun to install the malicious js-digest. NPM has removed that package.

This blog has a deep dive into the attack.

Actions

If you don’t use Arch (btw), you’re fine.

  1. Arch users: review the list of affected packages and use this script to check your exposure: aur_check.sh (OUTDATED, check https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14) · GitHub
  2. Review the Ioctl blog for the indicators of compromise and if found, preserve the system for forensic investigation as appropriate.
  3. If packages are found, follow normal compromise procedures. Rotate all credentials and consider reinstalling Arch. The possibility of a rootkit removes the possibility of system trust.

Also, just for good measure (and this is for everyone), deny outbound Tor traffic from your network.

Indicators of Compromise

In addition to the linked IOCs, this is the SHA256 of the malicious Linux executable embedded in js-digest.

7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316

You can also hunt for suspicious eBPF Maps using bpftool map list. Suspicious map names include:

  • hidden_pids
  • hidden_names
  • hidden_inodes

Notes

An earlier version of this report stated that a known maintainer account was responsible for the malicious commits. That was inaccurate; the known maintainer account was spoofed.

Most of these packages are rare, but the scope is significant. Also, it’s rare to see a supply chain attack of this nature go so far as an eBPF rootkit in addition to infostealer behavior.

Socket.dev has the malicious NPM package. It shows 134 downloads.

https://socket.dev/npm/package/atomic-lockfile

The NPM package is maintained by user herbsobering. Searching that username on GitHub reveals a single container image that appears to be a reverse shell/proxy tool. Package herbsobering430 · GitHub

You might be wondering how this happened. The truth is, the AUR package repository allows anyone to “adopt” a package and submit a change to the PKGBUILD/associated files if the package is marked as unmaintained. It turns out automating the hunt for abandoned packages and adoption of them is not uncommon. See this Mastodon thread for additional context.

0xF21D (Robert Hollingshead) 2

This link ( aur_check.sh · GitHub ) contains a script for checking if you’re infected, but in the comments someone has started maintaining a list and another commenter posted the following bash command line that will only refer to the list, not download any script:

echo "Affected Packages Found:"; comm -12 <(pacman -Qqm | sort) <(curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

NOTE: Obviously best effort, but sharing because it’s a good start.

mttaggart (Taggart) 3

Yeah this is gonna be like whack-a-mole. This list is already out-of-date and doesn’t include the new Bun-based attacks, like this package.

0xF21D (Robert Hollingshead) 4

True. For now it’s best to avoid running yay -Syu (or any other AUR package updater) and only sudo pacman -Syu to update software in the officially maintained repo in arch until an all clear is given, which given the pace of the maintainers so far, should be soon.

mttaggart (Taggart) 5

Here’s a current(ish) list for packages that were hit with js-digest. This npm package has already been removed, but if you updated AUR packages in the last 12 hours or so, worth checking out.

Never before have I been so glad that I go months at a time without updating my AUR packages :sweat_smile: