Pac-Hunt — You're the Ghost

Pac-Hunt — You're the Ghost

Easy like Pac-Man Sunday…

A rare Sunday Twitch stream today of Pac-Man World 2 Re-Pac on PC. Starting some time after 10am GMT. Come say hi in the chat!

Pac-Man, but you're the ghost | Garrit's Notes

Generalist software developer writing about scalable infrastructure, fullstack development and DevOps practices.

Il giorno in cui mirror.bakertelekom.fr ha deciso di prendersi una pausa

Un mirror francese va in vacanza senza avvisare, pacman ignora stoicamente il dramma e scarica tutto lo stesso. Nel mezzo: 47 righe di errori rossi, un aggiornamento perfettamente riuscito, e un .pacnew che aspetta ancora di essere guardato. Come sempre.

sodiboo :pride_heart: (@sodiboo)

MANY ORPHANED AUR PACKAGES ARE BEING TARGETED BY THE SAME INFOSTEALER. the Arch User Repository package `alvr` has been orphaned, then adopted by a threat actor who immediately updated it with an infostealer. If you have [this package](https://aur.archlinux.org/packages/alvr) on your system and updated it within the last 3 hours, you've been compromised. This is not a result of any upstream compromise; it's just that one AUR package. in particular, the `alvr-bin` sister package seems to be fine. [here's the relevant thread for `alvr` from the Arch Linux mailing list](https://lists.archlinux.org/archives/list/[email protected]/thread/2LGBF2AZBPVCCY4VTN6DOVUNNBURFJ2J/). SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE: [1](https://lists.archlinux.org/archives/list/[email protected]/thread/L2JXQNYBGWOQQQXDEPEAICBHKFEFANUC/), [2](https://lists.archlinux.org/archives/list/[email protected]/thread/GNJEESAL6MT7LD2HCVP3HCTZIB6YQM2N/), [3](https://lists.archlinux.org/archives/list/[email protected]/thread/EAVGB55YBS4HRVU5N6NTYCGGMDDOJAM6/), [4](https://lists.archlinux.org/archives/list/[email protected]/thread/E5QPKBGL3QKLBOJ5HWUAS6AGZKHNTLG7/), [5](https://lists.archlinux.org/archives/list/[email protected]/thread/LVYB62N3FPAWUHNJ5Z5GXG6OIR7S5P3F/) [AUR mailing list megathread](https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/) they all share in common that they will install the `atomic-lockfile` package from NPM (that is [here's a live link to the actual malware](https://www.npmjs.com/package/atomic-lockfile). do not install that). they were all orphan takeovers. as far as i can tell, all of the ones i linked have been reverted to known safe versions. including `alvr`. this is an **infostealer**, meaning it exfiltrates sensitive data from your system such as login credentials. removing the malware will not undo the damage. moreover, **uninstalling the malicious package will not remove the malware** because it persists as a systemd service that stays on your system indefinitely. it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that **simply installing the malicious versions of any of these packages will compromise you**. it does not require you to do anything more afterwards. again, **the malware persists if you uninstall the malicious packages** --- Attached is a screenshot of an announcement from the "Linux VR Adventures" discord. i know we all hate discord, but LVRA has a lot of auxiliary discussion, so [here's an invite link](https://discord.gg/zKPzbNwC6H) of special interest, [here's a malware analysis thread](https://discord.com/channels/1065291958328758352/1514675213089116342/1514675217056927774) that just started. Feel free to follow it in real time, or contribute, or whatever. (i've posted some details from that thread in the replies to this post) (📎1)