rafssunny@lemmy.zip to Technology@lemmy.worldEnglish · 13 hours agoArch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packageswww.phoronix.comexternal-linkmessage-square37fedilinkarrow-up1175arrow-down12
arrow-up1173arrow-down1external-linkArch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packageswww.phoronix.comrafssunny@lemmy.zip to Technology@lemmy.worldEnglish · 13 hours agomessage-square37fedilink
minus-squareA_norny_mousse@piefed.ziplinkfedilinkEnglisharrow-up3arrow-down1·edit-27 hours agoThanks. The forum thread’s beginning suggests a concerted effort around adding the line npm install atomic-lockfile to repos. Searching for that I quickly found this: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency and related articles. Then it seems to change to ‘bun’ and ‘js-digest’: bun add figures debug js-digest Apparently both atomic-lockfile and js-digest are upstream npm/javascript packages that have been infected with datamining malware. BTW, admins reported as of 12h ago it’s all cleaned up.
Thanks. The forum thread’s beginning suggests a concerted effort around adding the line
npm install atomic-lockfileto repos.Searching for that I quickly found this: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency and related articles.
Then it seems to change to ‘bun’ and ‘js-digest’:
bun add figures debug js-digestApparently both atomic-lockfile and js-digest are upstream npm/javascript packages that have been infected with datamining malware.
BTW, admins reported as of 12h ago it’s all cleaned up.