One example: https://aur.archlinux.org/cgit/aur.git/commit/?h=oracle-bin&id=eceeb808ef933a66285ea68cefd72c1b5f4374c9 . It seems the AUR team forcepushed the malicious commits out of the repo branches, likely to prevent being accidentally reused by git-bisect in the future, but the URLs still seem to work until they run garbage collection. The author/committer information on each affected commit impersonated a previous maintainer of that particular repository and isn’t real.
The whole thing essentially just boils down to adding a cd /tmp; npm install [random crap] post-install hook to every abandoned repository they easily got access to, which itself had a post-install hook to set up malware things. npm has nulled the affected packages, though it took them somewhere around 24 hours to do so. atomic-lockfile was one of them.
Holy crap, so many!
Is this a concerted effort (by evil hackers)? (edit: yes. was.)
Can we still see an example of an affected PKGBUILD or git repo? I just tried some randomly and they all seem fixed already.
One example: https://aur.archlinux.org/cgit/aur.git/commit/?h=oracle-bin&id=eceeb808ef933a66285ea68cefd72c1b5f4374c9 . It seems the AUR team forcepushed the malicious commits out of the repo branches, likely to prevent being accidentally reused by git-bisect in the future, but the URLs still seem to work until they run garbage collection. The author/committer information on each affected commit impersonated a previous maintainer of that particular repository and isn’t real.
The whole thing essentially just boils down to adding a
cd /tmp; npm install [random crap]post-install hook to every abandoned repository they easily got access to, which itself had a post-install hook to set up malware things. npm has nulled the affected packages, though it took them somewhere around 24 hours to do so. atomic-lockfile was one of them.