this post was submitted on 13 Jun 2026
132 points (99.3% liked)

Technology

85390 readers
5644 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
132
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages (www.phoronix.com)
submitted 14 hours ago by rafssunny@lemmy.zip to c/technology@lemmy.world
40 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] brokenwing@discuss.tchncs.de 1 points 11 hours ago* (last edited 14 minutes ago) (3 children)

What to do if I found a package I installed to be in that list? libgdata to be specific?

Edit: Seems that the libgdata package was last installed on March 05.

[–] Peter_Arbeitslos@feddit.org 2 points 9 hours ago* (last edited 9 hours ago)

Have a check if you updated it recently (PKGBUILD history, about June 10-12). If not you're fine.

If:

  • Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys
  • Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit (E: It's supposed to be an eBPF rootkit)

(reference)

Personally I would reset everything if I got anything, to kill both any infection and my paranoia. Then reset credentials.

[–] A_norny_mousse@piefed.zip 0 points 7 hours ago* (last edited 7 hours ago)

Probably reinstall (all is supposed to be fixed as of over 12h ago). This time check the PKGBUILD and also whichever (git) repo the software is pulled from.
See if infected versions of npm packages atomic-lockfile and js-digest are installed.

See here: https://bbs.archlinux.org/viewtopic.php?id=313892

[–] ilmagico@lemmy.world 1 points 10 hours ago (1 children)

Was it installed from the aur? If not, you're fine

[–] stardreamer@lemmy.blahaj.zone 3 points 7 hours ago (1 children)

libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn't remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you'd inadvertently update libgdata from an AUR source if you're using an AUR helper.

[–] brokenwing@discuss.tchncs.de 1 points 16 minutes ago

Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.

Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the /var/log/pacman. You can see them like this,

grep "package_name" /var/log/pacman

For yay installed packages you can see they are getting installed from ~/.config/yay/package_name. But for my libgdata, it simply says [ALPM] installed libgdata (0.18.1-5).