RSS

Hundreds of AUR packages compromised

prakashqwerty1 pts0 comments

Hundreds of AUR packages compromised [LWN.net]

LWN<br>.net<br>News from the source

Content Weekly Edition<br>Archives<br>Search<br>Kernel<br>Security<br>Events calendar<br>Unread comments

LWN FAQ<br>Write for us

User:<br>Password: |

Log in /<br>Subscribe /<br>Register

Hundreds of AUR packages compromised

[Posted June 12, 2026 by jzb]

Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have<br>been compromised by an attacker who has added a malicious npm<br>package (atomic-lockfile) that can exfiltrate sensitive<br>data. The project is currently working<br>on cleaning up the mess. There is a list of affected packages<br>and post (possibly NSFW domain) by<br>"sodiboo" with additional information. Arch Linux users (or users of<br>Arch-based distributions) that use AUR packages may wish to see if they<br>have installed any of the compromised updates.

to post comments

Links and domain names

Posted Jun 12, 2026 14:23 UTC (Fri)<br>by Kalenx (subscriber, #120295)<br>[Link] (20 responses)

Informative (and important) post, but I'd have rather avoided clicking on a link to a "gaysex.cloud" domain on a work computer. Even just hovering on the link (to see where it points to) triggers a DNS/TCP handshake request -- at least on my browser.

To state the obvious, nothing wrong with "gay sex", just having such domain directly linked from a Linux tech focused website. When you don't expect it and click it on a monitored network, that can be annoying / embarassing...

Links and domain names

Posted Jun 12, 2026 14:26 UTC (Fri)<br>by jzb (editor, #7867)<br>[Link] (5 responses)

I've added a note to say that it's a "possibly NSFW domain". I hope that will help? The post itself was not, as far as I noticed, in any way NSFW.

Links and domain names

Posted Jun 12, 2026 14:29 UTC (Fri)<br>by Kalenx (subscriber, #120295)<br>[Link] (1 responses)

Oh absolutely, the post is, in itself, very informative actually. Just a matter of domain name. Thanks for the quick fix.

Links and domain names

Posted Jun 12, 2026 14:39 UTC (Fri)<br>by jzb (editor, #7867)<br>[Link]

Thanks for the comment! Sorry to miss that on the first go-around. As you might imagine, one of the benefits to working for LWN is that there's not exactly a lot of corporate monitoring going on. :-)

Links and domain names

Posted Jun 12, 2026 15:11 UTC (Fri)<br>by burki99 (subscriber, #17149)<br>[Link] (2 responses)

NSFW is a little hard to parse for non native speakers (or workers from countries where internet monitoring by your company is rather unusual)

Links and domain names

Posted Jun 12, 2026 21:24 UTC (Fri)<br>by jepsis (subscriber, #130218)<br>[Link]

Never heard that acronym before. Happy to live in a free country where you don't get fired for clicking a link.

Links and domain names

Posted Jun 13, 2026 0:04 UTC (Sat)<br>by ssokolow (guest, #94568)<br>[Link]

I just interpret it as "things that would at least lead to an awkward moment if a passing co-woker noticed them".

(Why is why admitting you watch any non-Studio Ghibli anime is NSFW for a lot of people. I had my brother share this comedy sketch while commenting on what a surprise it is to him whenever my other brother seems to already know every anime he brings up because he's so good at giving the impression that he doesn't watch any.)

Links and domain names

Posted Jun 12, 2026 16:23 UTC (Fri)<br>by NightMonkey (subscriber, #23051)<br>[Link]

Of course, it could just be dedicated to a person's ex. :shrug:

Links and domain names

Posted Jun 13, 2026 6:00 UTC (Sat)<br>by jengelh (subscriber, #33263)<br>[Link] (7 responses)

>To state the obvious, nothing wrong with [...] just [...]. Even just [...]

That's a figleaf argument: So there *is* something wrong with it. Just own the position without the introductory hypocrisy.

Links and domain names

Posted Jun 13, 2026 6:48 UTC (Sat)<br>by AngryChris (subscriber, #74783)<br>[Link]

It's not hypocrisy. He's at work. Sex is inappropriate in the workplace. Access to sex-themed sites is monitored and blocked and reported on in many workplaces. It's nothing to do with the sex being gay, it's to do with it being sex. Don't be so obtuse.

Links and domain names

Posted Jun 14, 2026 0:30 UTC (Sun)<br>by Kalenx (subscriber, #120295)<br>[Link] (5 responses)

Well, if you want to see it that way, yes, there is something wring with gay sex _displayed on my computer screen at work_. But there's also something wrong with heterosexual sex, lesbian sex, furry sex, bsdm sex, non-binary sex, whatever you want.

What I wanted to point out was specifically that the issue was not the "gay" part, but the "sex" part. Again, not because it exists, but because it is not appropriate at work.

Now, you can think of this as puritan. You may believe that one should be able to put on whatever pornographic video on their computer all day long when at work and other people should just accept this the same way we accept people putting pictures of their children as wallpaper. Ok sure, the distinction is arbitrary, but this is a different debate.

Links and domain names

Posted...

domain link posted links names subscriber

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.