cross-posted from: discuss.tchncs.de/post/62150833
Decided to create a thread for tracking and sharing the news and opinions on the new Malicious Atomic Arch NPM Campaign in which more than 1600 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit.
Find the infected packages: md.archlinux.org/s/SxbqukK6IA
Most popular packages on the affected list
Package Popularity Affected Reverted libgdata 16.98% (2026-06-11 14:59+00:00) (2026-06-11 17:30+00:00) python-future 5.38% (2026-06-11 15:58+00:00) (2026-06-11 16:54+00:00) gdl 3.36% (2026-06-11 13:35+00:00) (2026-06-11 17:32+00:00) libquvi-scripts 2.31% (2026-06-11 15:05+00:00) (2026-06-11 17:33+00:00) libquvi 2.22% (2026-06-11 15:04+00:00) (2026-06-11 17:33+00:00) gtkimageview 2.19% (2026-06-11 13:44+00:00) (2026-06-11 17:33+00:00) python2-pyparsing 2.02% (2026-06-11 14:23+00:00) (2026-06-11 17:40+00:00) python2-appdirs 1.96% (2026-06-11 14:22+00:00) (2026-06-11 17:26+00:00) compiler-rt19 1.95% (2026-06-11 14:23+00:00) (2026-06-11 17:30+00:00) python2-packaging 1.90% (2026-06-11 14:21+00:00) (2026-06-11 17:38+00:00) wine-nine 1.86% (2026-06-11 15:48+00:00) (2026-06-11 21:36+00:00) clang19 1.86% (2026-06-11 15:36+00:00) (2026-06-11 21:24+00:00) clang15 1.76% (2026-06-12 12:34+00:00) (2026-06-12 12:54+00:00) mono-addins 1.69% (2026-06-11 15:33+00:00) (2026-06-11 21:34+00:00) python2-chardet 1.68% (2026-06-12 12:42+00:00) (2026-06-12 14:48+00:00) python-monotonic 1.55% (2026-06-11 15:43+00:00) (2026-06-11 21:37+00:00) python2-cffi 1.47% (2026-06-12 12:44+00:00) (2026-06-12 15:10+00:00) alvr 1.26% (2026-06-11 13:54+00:00) (2026-06-11 16:50+00:00) python2-gobject 1.23% (2026-06-12 12:44+00:00) (2026-06-12 14:47+00:00) vidcutter 1.03% (2026-06-11 13:24+00:00) (2026-06-11 17:43+00:00)Learn more about the attack: sonatype.com/…/atomic-arch-npm-campaign-adds-mali….
Tetsuo@jlai.lu 2 weeks ago
I just wanted to warn the Steamdeck users that there might be a risk their device could be infected because of the recent Arch User Repository (AUR) hack.
I have no idea how critical the infection can practically be on Steamdecks but just in case you might want to check your setup.
copygirl@lemmy.blahaj.zone 2 weeks ago
From my experience, installing (especially building) AUR packages on SteamOS is practically impossible, because of how stripped down SteamOS is.
Fubarberry@sopuli.xyz 2 weeks ago
People using the aur on steamOS probably are doing so through distrobox. Distrobox doesn’t sandbox as far as I know, so the infostealer part of the malware would still be a risk. The rootkit part I’m guessing would fail, since I think distrobox on Deck usually runs in rootless mode.
It also seems like there was a fairly short window of time before the infected packages were caught, anyone who didn’t update one of the compromised packages on that exact day should be fine.
thingsiplay@lemmy.ml 2 weeks ago
It is not impossible. SteamOS itself is not “stripped down”, at least that is not the reason why you cannot install packages from AUR. SteamOS has a write protection for the system files and the operating system installation. On top of it, any changes made to it will be reverted back with a system update.
One can enable write permission and install AUR packages. However with the next update the system is usually reverted back and changes like these are lost. Therefore being infected on Steam Deck is unlikely. If anyone did that and got infected during that period of time, then I wouldn’t trust the installation anymore.
aurelian@lemmy.ml 2 weeks ago
And this is why I run nixos on my steam deck. Ok not the reason but one of many.
Love Jovian
Tetsuo@jlai.lu 2 weeks ago
Since SteamOS also has immutability, I’m curious why you choose NixOS ?
You wanted more flexibility maybe ?