| ▲ | mkayokay 4 hours ago | |
So from a quick read, it seems it installed "atomic-lockfile", "js-digest" or "lockfile-js" from npm. A list of affected packages is here [1]. Didn't find any quick info on how to check a system, so I ran the following command to find foreign packages and some date related infos: > pacman -Qmi Check the output against the list of affected packages. Then, you can also grep for those files in various locations: > grep -rl "atomic-lockfile" / --include="package.json" --include="package-lock.json" > grep -rl "atomic-lockfile" ~/.npm 2>/dev/null > grep -i "atomic-lockfile" /var/log/pacman.log 2>/dev/null Don't know if the packages delete themself after they run. I just wanted to provide some basic commands, as all the other infos I found didn't provide any help. | ||
| ▲ | jeroenhd 3 hours ago | parent | next [-] | |
The attacker used at least three Node dependencies in the attack, just checking for atomic-lockfile is not enough. The names js-digest and lockfile-js were also used, and at some point the attacker switched to bun instead of npm. | ||
| ▲ | DavideNL 3 hours ago | parent | prev | next [-] | |
| ▲ | stefan_ 2 hours ago | parent | prev [-] | |
I love that even when trying to put malware into Arch Linux AUR, the malware is still distributed through NPM. Legendary platform. | ||