sodiboo :pride_heart: (@sodiboo)

MANY ORPHANED AUR PACKAGES ARE BEING TARGETED BY THE SAME INFOSTEALER. the Arch User Repository package `alvr` has been orphaned, then adopted by a threat actor who immediately updated it with an infostealer. If you have [this package](https://aur.archlinux.org/packages/alvr) on your system and updated it within the last 3 hours, you've been compromised. This is not a result of any upstream compromise; it's just that one AUR package. in particular, the `alvr-bin` sister package seems to be fine. [here's the relevant thread for `alvr` from the Arch Linux mailing list](https://lists.archlinux.org/archives/list/[email protected]/thread/2LGBF2AZBPVCCY4VTN6DOVUNNBURFJ2J/). SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE: [1](https://lists.archlinux.org/archives/list/[email protected]/thread/L2JXQNYBGWOQQQXDEPEAICBHKFEFANUC/), [2](https://lists.archlinux.org/archives/list/[email protected]/thread/GNJEESAL6MT7LD2HCVP3HCTZIB6YQM2N/), [3](https://lists.archlinux.org/archives/list/[email protected]/thread/EAVGB55YBS4HRVU5N6NTYCGGMDDOJAM6/), [4](https://lists.archlinux.org/archives/list/[email protected]/thread/E5QPKBGL3QKLBOJ5HWUAS6AGZKHNTLG7/), [5](https://lists.archlinux.org/archives/list/[email protected]/thread/LVYB62N3FPAWUHNJ5Z5GXG6OIR7S5P3F/) [AUR mailing list megathread](https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/) they all share in common that they will install the `atomic-lockfile` package from NPM (that is [here's a live link to the actual malware](https://www.npmjs.com/package/atomic-lockfile). do not install that). they were all orphan takeovers. as far as i can tell, all of the ones i linked have been reverted to known safe versions. including `alvr`. this is an **infostealer**, meaning it exfiltrates sensitive data from your system such as login credentials. removing the malware will not undo the damage. moreover, **uninstalling the malicious package will not remove the malware** because it persists as a systemd service that stays on your system indefinitely. it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that **simply installing the malicious versions of any of these packages will compromise you**. it does not require you to do anything more afterwards. again, **the malware persists if you uninstall the malicious packages** --- Attached is a screenshot of an announcement from the "Linux VR Adventures" discord. i know we all hate discord, but LVRA has a lot of auxiliary discussion, so [here's an invite link](https://discord.gg/zKPzbNwC6H) of special interest, [here's a malware analysis thread](https://discord.com/channels/1065291958328758352/1514675213089116342/1514675217056927774) that just started. Feel free to follow it in real time, or contribute, or whatever. (i've posted some details from that thread in the replies to this post) (📎1)