277
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages (www.phoronix.com)
submitted 2 weeks ago by rafssunny@lemmy.zip to c/technology@lemmy.world
50 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] brokenwing@discuss.tchncs.de 2 points 2 weeks ago* (last edited 1 week ago)

What to do if I found a package I installed to be in that list? libgdata to be specific?

Edit: Seems that the libgdata package was last installed on March 05.

[-] Peter_Arbeitslos@feddit.org 2 points 2 weeks ago* (last edited 2 weeks ago)

Have a check if you updated it recently (PKGBUILD history, about June 10-12). If not you're fine.

If:

  • Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys
  • Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit (E: It's supposed to be an eBPF rootkit)

(reference)

Personally I would reset everything if I got anything, to kill both any infection and my paranoia. Then reset credentials.

[-] ilmagico@lemmy.world 1 points 2 weeks ago

Was it installed from the aur? If not, you're fine

[-] stardreamer 3 points 2 weeks ago

libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn't remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you'd inadvertently update libgdata from an AUR source if you're using an AUR helper.

[-] brokenwing@discuss.tchncs.de 1 points 1 week ago

Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.

Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the /var/log/pacman. You can see them like this,

grep "package_name" /var/log/pacman

For yay installed packages you can see they are getting installed from ~/.config/yay/package_name. But for my libgdata, it simply says [ALPM] installed libgdata (0.18.1-5).

[-] gratux 1 points 1 week ago

You can also check the build/install date of a package with pacman -Qi

[-] stardreamer 1 points 1 week ago

Sounds like you got lucky. libgdata was part of the second round of attacks and was quickly reverted. It's likely you're running the last official release.

[-] A_norny_mousse@piefed.zip 1 points 2 weeks ago* (last edited 2 weeks ago)

Probably reinstall (all is supposed to be fixed as of over 12h ago). This time check the PKGBUILD and also whichever (git) repo the software is pulled from.
See if infected versions of npm packages atomic-lockfile and js-digest are installed.

See here: https://bbs.archlinux.org/viewtopic.php?id=313892

this post was submitted on 13 Jun 2026
277 points (100.0% liked)

Technology

85748 readers
3232 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws