Steam Hardware

22286 readers

93 users here now

A place to discuss and support all Steam Hardware, including Steam Deck, Steam Machine, Steam Frame, and SteamOS in general.

As Lemmy doesn't have flairs yet, you can use these prefixes to indicate what type of post you have made, eg:
[Flair] My post title

The following is a list of suggested flairs:
[Deck] - Steam Deck related.
[Controller] - Steam Controller related.
[Machine] - Steam Machine related.
[Frame] - Steam Frame related.
[Discussion] - General discussion.
[Help] - A request for help or support.
[News] - News about the deck.
[PSA] - Sharing important information.
[Game] - News / info about a game on the deck.
[Update] - An update to a previous post.
[Meta] - Discussion about this community.

If your post is only relevant to one hardware device (Deck/Machine/Frame/etc) please specify which one as part of the title or by using a device flair.

These are not enforced, but they are encouraged.

Rules:

Follow the rules of Sopuli
Posts must be related to Steam Hardware or Steam OS in an obvious way.
No piracy, there are other communities for that.
Discussion of emulators are allowed, but no discussion on how to illegally acquire ROMs.
This is a place of civil discussion, no trolling.
Have fun.

Link to our Matrix Space

founded 4 years ago

MODERATORS

Moxvallix@sopuli.xyz

Fubarberry@sopuli.xyz

Malicious Atomic Arch NPM Campaign Thread (jlai.lu)

submitted 23 hours ago by Tetsuo@jlai.lu to c/steamdeck@sopuli.xyz

13 comments fedilink hide all child comments

cross-posted from: https://discuss.tchncs.de/post/62150833

Decided to create a thread for tracking and sharing the news and opinions on the new Malicious Atomic Arch NPM Campaign in which more than 1600 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit.

Find the infected packages: https://md.archlinux.org/s/SxbqukK6IA

Package        Popularity                Affected                 Reverted
libgdata           16.98% (2026-06-11 14:59+00:00) (2026-06-11 17:30+00:00)
python-future       5.38% (2026-06-11 15:58+00:00) (2026-06-11 16:54+00:00)
gdl                 3.36% (2026-06-11 13:35+00:00) (2026-06-11 17:32+00:00)
libquvi-scripts     2.31% (2026-06-11 15:05+00:00) (2026-06-11 17:33+00:00)
libquvi             2.22% (2026-06-11 15:04+00:00) (2026-06-11 17:33+00:00)
gtkimageview        2.19% (2026-06-11 13:44+00:00) (2026-06-11 17:33+00:00)
python2-pyparsing   2.02% (2026-06-11 14:23+00:00) (2026-06-11 17:40+00:00)
python2-appdirs     1.96% (2026-06-11 14:22+00:00) (2026-06-11 17:26+00:00)
compiler-rt19       1.95% (2026-06-11 14:23+00:00) (2026-06-11 17:30+00:00)
python2-packaging   1.90% (2026-06-11 14:21+00:00) (2026-06-11 17:38+00:00)
wine-nine           1.86% (2026-06-11 15:48+00:00) (2026-06-11 21:36+00:00)
clang19             1.86% (2026-06-11 15:36+00:00) (2026-06-11 21:24+00:00)
clang15             1.76% (2026-06-12 12:34+00:00) (2026-06-12 12:54+00:00)
mono-addins         1.69% (2026-06-11 15:33+00:00) (2026-06-11 21:34+00:00)
python2-chardet     1.68% (2026-06-12 12:42+00:00) (2026-06-12 14:48+00:00)
python-monotonic    1.55% (2026-06-11 15:43+00:00) (2026-06-11 21:37+00:00)
python2-cffi        1.47% (2026-06-12 12:44+00:00) (2026-06-12 15:10+00:00)
alvr                1.26% (2026-06-11 13:54+00:00) (2026-06-11 16:50+00:00)
python2-gobject     1.23% (2026-06-12 12:44+00:00) (2026-06-12 14:47+00:00)
vidcutter           1.03% (2026-06-11 13:24+00:00) (2026-06-11 17:43+00:00)

Learn more about the attack: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency.

you are viewing a single comment's thread
view the rest of the comments

[–] copygirl@lemmy.blahaj.zone 6 points 21 hours ago (2 children)

From my experience, installing (especially building) AUR packages on SteamOS is practically impossible, because of how stripped down SteamOS is.

[–] Fubarberry@sopuli.xyz 3 points 11 hours ago

People using the aur on steamOS probably are doing so through distrobox. Distrobox doesn't sandbox as far as I know, so the infostealer part of the malware would still be a risk. The rootkit part I'm guessing would fail, since I think distrobox on Deck usually runs in rootless mode.

It also seems like there was a fairly short window of time before the infected packages were caught, anyone who didn't update one of the compromised packages on that exact day should be fine.

[–] thingsiplay@lemmy.ml 1 points 20 hours ago (2 children)

It is not impossible. SteamOS itself is not "stripped down", at least that is not the reason why you cannot install packages from AUR. SteamOS has a write protection for the system files and the operating system installation. On top of it, any changes made to it will be reverted back with a system update.

One can enable write permission and install AUR packages. However with the next update the system is usually reverted back and changes like these are lost. Therefore being infected on Steam Deck is unlikely. If anyone did that and got infected during that period of time, then I wouldn't trust the installation anymore.

[–] copygirl@lemmy.blahaj.zone 2 points 19 hours ago (1 children)

Have you actually tried installing packages onto SteamOS (with readonly disabled)? Because system packages will be out of date with mainline Arch, which is already a bad idea on a rolling-release distro, and on top of that they are stripped from important stuff required to build other packages from source. It's been a hot minute (> 1 year) so I forget if it was symbols or what exactly, but my point is the same: SteamOS should not be treated as an Arch system where you can expect additional (official or user) packages to work.

[–] thingsiplay@lemmy.ml 1 points 18 hours ago (1 children)

I agree with you, nobody should disable readonly mode and tinker with system packages (and I do not mean Flatpak). However there is an alternative to this and officially supported. Valve added an exception to Nix package manager, that you can use to install packages from Nix repository and update them without pacman. And it will remain even after a system update, without disabling readonly system.

[–] copygirl@lemmy.blahaj.zone 2 points 18 hours ago* (last edited 18 hours ago) (1 children)

My comment was about AUR packages tho. Heck, the entire thread is.

[–] thingsiplay@lemmy.ml 1 points 18 hours ago

I know, and I answered accordingly. I gave an alternative to install packages, because its not recommended to use AUR on Steam Deck.

[–] Tetsuo@jlai.lu 1 points 19 hours ago (1 children)

That was my understanding but I'm not sure I agree with your conclusion though.

This hack drops an infostealer that could steal passwords and other secrets, so even if the system removes the malware, the data stolen would still be an issue.

So you can be infected for even a few days and get some passwords stolen that would still be problematic.

But yeah the subset of Steamdeck users that activated write mode and installed an affected AUR package must be pretty small.

[–] thingsiplay@lemmy.ml 1 points 19 hours ago

That was my understanding but I’m not sure I agree with your conclusion though.

My conclusion does align with yours, so I'm not sure what you mean. It is likely to be infected, because most people don't use the AUR on the Steam Deck (because of the reverting back). And my conclusion was, if anyone is infected, then I would not trust the system anymore.