this post was submitted on 14 Jun 2026
25 points (100.0% liked)

Steam Hardware

22286 readers
92 users here now

A place to discuss and support all Steam Hardware, including Steam Deck, Steam Machine, Steam Frame, and SteamOS in general.

As Lemmy doesn't have flairs yet, you can use these prefixes to indicate what type of post you have made, eg:
[Flair] My post title

The following is a list of suggested flairs:
[Deck] - Steam Deck related.
[Controller] - Steam Controller related.
[Machine] - Steam Machine related.
[Frame] - Steam Frame related.
[Discussion] - General discussion.
[Help] - A request for help or support.
[News] - News about the deck.
[PSA] - Sharing important information.
[Game] - News / info about a game on the deck.
[Update] - An update to a previous post.
[Meta] - Discussion about this community.

If your post is only relevant to one hardware device (Deck/Machine/Frame/etc) please specify which one as part of the title or by using a device flair.

These are not enforced, but they are encouraged.

Rules:

Link to our Matrix Space

founded 4 years ago
MODERATORS
Moxvallix@sopuli.xyz
Fubarberry@sopuli.xyz
25
Malicious Atomic Arch NPM Campaign Thread (jlai.lu)
submitted 22 hours ago by Tetsuo@jlai.lu to c/steamdeck@sopuli.xyz
13 comments fedilink hide all child comments
 

cross-posted from: https://discuss.tchncs.de/post/62150833

Decided to create a thread for tracking and sharing the news and opinions on the new Malicious Atomic Arch NPM Campaign in which more than 1600 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit.

Find the infected packages: https://md.archlinux.org/s/SxbqukK6IA

Most popular packages on the affected list

Package        Popularity                Affected                 Reverted
libgdata           16.98% (2026-06-11 14:59+00:00) (2026-06-11 17:30+00:00)
python-future       5.38% (2026-06-11 15:58+00:00) (2026-06-11 16:54+00:00)
gdl                 3.36% (2026-06-11 13:35+00:00) (2026-06-11 17:32+00:00)
libquvi-scripts     2.31% (2026-06-11 15:05+00:00) (2026-06-11 17:33+00:00)
libquvi             2.22% (2026-06-11 15:04+00:00) (2026-06-11 17:33+00:00)
gtkimageview        2.19% (2026-06-11 13:44+00:00) (2026-06-11 17:33+00:00)
python2-pyparsing   2.02% (2026-06-11 14:23+00:00) (2026-06-11 17:40+00:00)
python2-appdirs     1.96% (2026-06-11 14:22+00:00) (2026-06-11 17:26+00:00)
compiler-rt19       1.95% (2026-06-11 14:23+00:00) (2026-06-11 17:30+00:00)
python2-packaging   1.90% (2026-06-11 14:21+00:00) (2026-06-11 17:38+00:00)
wine-nine           1.86% (2026-06-11 15:48+00:00) (2026-06-11 21:36+00:00)
clang19             1.86% (2026-06-11 15:36+00:00) (2026-06-11 21:24+00:00)
clang15             1.76% (2026-06-12 12:34+00:00) (2026-06-12 12:54+00:00)
mono-addins         1.69% (2026-06-11 15:33+00:00) (2026-06-11 21:34+00:00)
python2-chardet     1.68% (2026-06-12 12:42+00:00) (2026-06-12 14:48+00:00)
python-monotonic    1.55% (2026-06-11 15:43+00:00) (2026-06-11 21:37+00:00)
python2-cffi        1.47% (2026-06-12 12:44+00:00) (2026-06-12 15:10+00:00)
alvr                1.26% (2026-06-11 13:54+00:00) (2026-06-11 16:50+00:00)
python2-gobject     1.23% (2026-06-12 12:44+00:00) (2026-06-12 14:47+00:00)
vidcutter           1.03% (2026-06-11 13:24+00:00) (2026-06-11 17:43+00:00)

Learn more about the attack: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency.

top 13 comments
sorted by: hot top controversial new old
[–] Fubarberry@sopuli.xyz 2 points 10 hours ago

Pretty scary, my desktop had the libgdata package left over as an orphan from something I had installed in the past. Thankfully I hadn't updated on the day of the attack, my package logs show my build of libgdata was from a February update instead.

[–] Tetsuo@jlai.lu 6 points 22 hours ago (2 children)

I just wanted to warn the Steamdeck users that there might be a risk their device could be infected because of the recent Arch User Repository (AUR) hack.

I have no idea how critical the infection can practically be on Steamdecks but just in case you might want to check your setup.

[–] copygirl@lemmy.blahaj.zone 6 points 20 hours ago (2 children)

From my experience, installing (especially building) AUR packages on SteamOS is practically impossible, because of how stripped down SteamOS is.

[–] Fubarberry@sopuli.xyz 3 points 10 hours ago

People using the aur on steamOS probably are doing so through distrobox. Distrobox doesn't sandbox as far as I know, so the infostealer part of the malware would still be a risk. The rootkit part I'm guessing would fail, since I think distrobox on Deck usually runs in rootless mode.

It also seems like there was a fairly short window of time before the infected packages were caught, anyone who didn't update one of the compromised packages on that exact day should be fine.

[–] thingsiplay@lemmy.ml 1 points 19 hours ago (2 children)

It is not impossible. SteamOS itself is not "stripped down", at least that is not the reason why you cannot install packages from AUR. SteamOS has a write protection for the system files and the operating system installation. On top of it, any changes made to it will be reverted back with a system update.

One can enable write permission and install AUR packages. However with the next update the system is usually reverted back and changes like these are lost. Therefore being infected on Steam Deck is unlikely. If anyone did that and got infected during that period of time, then I wouldn't trust the installation anymore.

[–] copygirl@lemmy.blahaj.zone 2 points 18 hours ago (1 children)

Have you actually tried installing packages onto SteamOS (with readonly disabled)? Because system packages will be out of date with mainline Arch, which is already a bad idea on a rolling-release distro, and on top of that they are stripped from important stuff required to build other packages from source. It's been a hot minute (> 1 year) so I forget if it was symbols or what exactly, but my point is the same: SteamOS should not be treated as an Arch system where you can expect additional (official or user) packages to work.

[–] thingsiplay@lemmy.ml 1 points 18 hours ago (1 children)

I agree with you, nobody should disable readonly mode and tinker with system packages (and I do not mean Flatpak). However there is an alternative to this and officially supported. Valve added an exception to Nix package manager, that you can use to install packages from Nix repository and update them without pacman. And it will remain even after a system update, without disabling readonly system.

[–] copygirl@lemmy.blahaj.zone 2 points 17 hours ago* (last edited 17 hours ago) (1 children)

My comment was about AUR packages tho. Heck, the entire thread is.

[–] thingsiplay@lemmy.ml 1 points 17 hours ago

I know, and I answered accordingly. I gave an alternative to install packages, because its not recommended to use AUR on Steam Deck.

[–] Tetsuo@jlai.lu 1 points 18 hours ago (1 children)

That was my understanding but I'm not sure I agree with your conclusion though.

This hack drops an infostealer that could steal passwords and other secrets, so even if the system removes the malware, the data stolen would still be an issue.

So you can be infected for even a few days and get some passwords stolen that would still be problematic.

But yeah the subset of Steamdeck users that activated write mode and installed an affected AUR package must be pretty small.

[–] thingsiplay@lemmy.ml 1 points 18 hours ago

That was my understanding but I’m not sure I agree with your conclusion though.

My conclusion does align with yours, so I'm not sure what you mean. It is likely to be infected, because most people don't use the AUR on the Steam Deck (because of the reverting back). And my conclusion was, if anyone is infected, then I would not trust the system anymore.

[–] aurelian@lemmy.ml 2 points 19 hours ago (1 children)

And this is why I run nixos on my steam deck. Ok not the reason but one of many.

Love Jovian

[–] Tetsuo@jlai.lu 1 points 18 hours ago

Since SteamOS also has immutability, I'm curious why you choose NixOS ?

You wanted more flexibility maybe ?