Hacker News new | ask | show | jobs
by mkayokay 10 days ago
So from a quick read, it seems it installed "atomic-lockfile", "js-digest" or "lockfile-js" from npm. A list of affected packages is here [1].

Didn't find any quick info on how to check a system, so I ran the following command to find foreign packages and some date related infos:

> pacman -Qmi

Check the output against the list of affected packages.

Then, you can also grep for those files in various locations: > grep -rl "atomic-lockfile" / --include="package.json" --include="package-lock.json"

> grep -rl "atomic-lockfile" ~/.npm 2>/dev/null

> grep -i "atomic-lockfile" /var/log/pacman.log 2>/dev/null

Don't know if the packages delete themself after they run. I just wanted to provide some basic commands, as all the other infos I found didn't provide any help.

[1] https://md.archlinux.org/s/SxbqukK6IA
5 comments
shlip 9 days ago
Here is how I did it :

Get a list of installed packages originating from AUR using 'yay' :

  yay -Qam > packages_aur.last
Get list from https://md.archlinux.org/s/SxbqukK6IA# :

  curl https://md.archlinux.org/s/SxbqukK6IA/download > compromised.txt
then :

  grep -wFf compromised.txt packages_aur.last
should spit out the packages that are in both files, hence were compromised at some point, I guess.
link
galleywest200 9 days ago
Thank you for this! I only had two on my system, thank goodness. I have uninstalled both.

libgdata 0.18.1-5 qt5-3d 5.15.18-1

link
bilkow 9 days ago
Have you checked the install date? I'm not sure which are the compromised version numbers, but if they were installed before June 10 you're probably safe. (I think libgdata 0.18.1-5 used to be on the main repos in February, and has recently been downgraded to AUR, so you may be fine).

Only packages from AUR have been compromised, meaning a normal update `pacman -Syu` won't install them, they'll only be installed by `makepkg` or AUR helpers (such as `paru`, which asks you to review the PKGBUILD diff).

Also, if you had installed a compromised version, uninstalling the packages is not enough, you'd probably need to reinstall your system and rotate all credentials. More info here and on the linked blog: https://discourse.ifin.network/t/400-aur-packages-compromise...

link
galleywest200 8 days ago
These were installed before June 10th I am almost certain. I will read that link just to be safe!

Looking at my pacman cache both of these versions existed on my system before June of this year so I think I am okay.

link
stefan_ 10 days ago
I love that even when trying to put malware into Arch Linux AUR, the malware is still distributed through NPM. Legendary platform.
link
jeroenhd 10 days ago
The attacker used at least three Node dependencies in the attack, just checking for atomic-lockfile is not enough. The names js-digest and lockfile-js were also used, and at some point the attacker switched to bun instead of npm.
link
DavideNL 10 days ago
Also see: https://github.com/lenucksi/aur-malware-check
link
quertyrecord74 9 days ago
How did emacs-magit got affected? It does not have any javascript to my knowledge
link