Comment by mkayokay

2 days ago

So from a quick read, it seems it installed "atomic-lockfile", "js-digest" or "lockfile-js" from npm. A list of affected packages is here [1].

Didn't find any quick info on how to check a system, so I ran the following command to find foreign packages and some date related infos:

> pacman -Qmi

Check the output against the list of affected packages.

Then, you can also grep for those files in various locations: > grep -rl "atomic-lockfile" / --include="package.json" --include="package-lock.json"

> grep -rl "atomic-lockfile" ~/.npm 2>/dev/null

> grep -i "atomic-lockfile" /var/log/pacman.log 2>/dev/null

Don't know if the packages delete themself after they run. I just wanted to provide some basic commands, as all the other infos I found didn't provide any help.

[1] https://md.archlinux.org/s/SxbqukK6IA

8 comments

mkayokay

Reply
shlip  1 day ago

Here is how I did it :

Get a list of installed packages originating from AUR using 'yay' :

  yay -Qam > packages_aur.last

Get list from https://md.archlinux.org/s/SxbqukK6IA# :

  curl https://md.archlinux.org/s/SxbqukK6IA/download > compromised.txt

then :

  grep -wFf compromised.txt packages_aur.last

should spit out the packages that are in both files, hence were compromised at some point, I guess.

  • galleywest200  1 day ago

    Thank you for this! I only had two on my system, thank goodness. I have uninstalled both.

    libgdata 0.18.1-5 qt5-3d 5.15.18-1

    • bilkow  1 day ago

      Have you checked the install date? I'm not sure which are the compromised version numbers, but if they were installed before June 10 you're probably safe. (I think libgdata 0.18.1-5 used to be on the main repos in February, and has recently been downgraded to AUR, so you may be fine).

      Only packages from AUR have been compromised, meaning a normal update `pacman -Syu` won't install them, they'll only be installed by `makepkg` or AUR helpers (such as `paru`, which asks you to review the PKGBUILD diff).

      Also, if you had installed a compromised version, uninstalling the packages is not enough, you'd probably need to reinstall your system and rotate all credentials. More info here and on the linked blog: https://discourse.ifin.network/t/400-aur-packages-compromise...

      1 reply →

jeroenhd  2 days ago

The attacker used at least three Node dependencies in the attack, just checking for atomic-lockfile is not enough. The names js-digest and lockfile-js were also used, and at some point the attacker switched to bun instead of npm.

stefan_  1 day ago

I love that even when trying to put malware into Arch Linux AUR, the malware is still distributed through NPM. Legendary platform.