sodiboo 
MANY ORPHANED AUR PACKAGES ARE BEING TARGETED WITH AN INFOSTEALER. official statement (fediverse discussion)
collection of detection scripts
the Arch User Repository package
here's the relevant thread for
SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE: 1, 2, 3, 4, 5
AUR mailing list megathread <-- over 400 (!!!!) packages have the malicious npm dependency
i believe this is an up-to-date list of all packages that are known to be compromised
they all share in common that they will install the
THAT NPM PACKAGE HAS BEEN TAKEN DOWN, but there is another wave of this attack still ongoing! this time, the infected packages are installing
this is an infostealer, meaning it exfiltrates sensitive data from your system such as browser cookies, discord tokens, ssh keys, and container registry logins. removing the malware will not undo the damage; the attacker now has all your credentials. moreover, uninstalling the malicious package will not remove the malware because it persists as a systemd service that stays on your system indefinitely.
it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that simply installing the malicious versions of any of these packages will compromise you. it does not require you to do anything more afterwards. again, the malware persists if you uninstall the malicious packages
to check if you've been compromised, look in
---
Attached is a screenshot of an announcement from the "Linux VR Adventures" discord.
i know we all hate discord, but LVRA has a lot of auxiliary discussion, so here's an invite link. (or at least, it had a lot of relevant discussion when the news broke and this post was much shorter; it's mostly quiet now as we realized the scope goes way beyond VR. this post is also now more complete than it was)
of special interest, here's a malware analysis thread. Feel free to follow it in real time, or contribute, or whatever. Whanos has produced a preliminary analysis blog post that contains a lot of important information about the malware.
collection of detection scripts
the Arch User Repository package
alvr has been orphaned, then adopted by a threat actor who immediately updated it with an infostealer. If you have this package on your system and updated it recently, you've been compromised. This is not a result of any upstream compromise; it's just that one AUR package. in particular, the alvr-bin sister package seems to be fine.here's the relevant thread for
alvr from the Arch Linux mailing list. alvr seems to be the first package compromised and/or the first one that was noticed. it was updated maliciously at 2026-06-11 13:53:45 UTC (2026-06-11T13:53:45.000Z) and reverted approximately 3-4 hours after that.SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE: 1, 2, 3, 4, 5
AUR mailing list megathread <-- over 400 (!!!!) packages have the malicious npm dependency
i believe this is an up-to-date list of all packages that are known to be compromised
they all share in common that they will install the
atomic-lockfile package from NPM. they were all orphan takeovers. as far as i can tell, all of the ones that have been noticed were reverted to known safe versions. including alvr.THAT NPM PACKAGE HAS BEEN TAKEN DOWN, but there is another wave of this attack still ongoing! this time, the infected packages are installing
js-digest or lockfile-js, also from npm registry (but using bun). js-digest was already taken down, but lockfile-js was published 2026-06-12 13:01:03 UTC (2026-06-12T13:01:03.000Z) and is still live right now !!this is an infostealer, meaning it exfiltrates sensitive data from your system such as browser cookies, discord tokens, ssh keys, and container registry logins. removing the malware will not undo the damage; the attacker now has all your credentials. moreover, uninstalling the malicious package will not remove the malware because it persists as a systemd service that stays on your system indefinitely.
it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that simply installing the malicious versions of any of these packages will compromise you. it does not require you to do anything more afterwards. again, the malware persists if you uninstall the malicious packages
to check if you've been compromised, look in
/etc/systemd/system and ~/.config/systemd/user for a recently added .service file with a random name. that's the persistence mechanism and the most obvious mark that you've been compromised.---
Attached is a screenshot of an announcement from the "Linux VR Adventures" discord.
i know we all hate discord, but LVRA has a lot of auxiliary discussion, so here's an invite link. (or at least, it had a lot of relevant discussion when the news broke and this post was much shorter; it's mostly quiet now as we realized the scope goes way beyond VR. this post is also now more complete than it was)
of special interest, here's a malware analysis thread. Feel free to follow it in real time, or contribute, or whatever. Whanos has produced a preliminary analysis blog post that contains a lot of important information about the malware.
IFIN - The Independent Federated Intelligence Network
Enno Lenze
Kevin Beaumont
Movim
Shred
Rob Ricci