libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn’t remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you’d inadvertently update libgdata from an AUR source if you’re using an AUR helper.
Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.
Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the /var/log/pacman. You can see them like this,
grep "package_name" /var/log/pacman
For yay installed packages you can see they are getting installed from ~/.config/yay/package_name. But for my libgdata, it simply says [ALPM] installed libgdata (0.18.1-5).
Was it installed from the aur? If not, you’re fine
libgdata here is specifically very messy. It was an official package since it was a required dependency for older versions of GNOME, then in GNOME 50 they dropped the dependency and so did Arch from their repos. But because pacman doesn’t remove dangling dependencies, you end up with libgdata still installed, until Arch Linux moves dropped packages into the AUR as an orphan, which happened in this case 5/31. This allowed it to be perfectly timed for the attackers to pick it up on 6/11. Now, you’d inadvertently update libgdata from an AUR source if you’re using an AUR helper.
Yes that seems to be the case. But on 12th of June, I did a yay update. But only librewolf-bin was updated. libgdata (0.18.1-5) was last updated on March 05 2026 for me.
Also I did some digging around. Seems like any packages that were installed using a AUR helper (like yay in my case) would leave logs in the
/var/log/pacman. You can see them like this,grep "package_name" /var/log/pacmanFor yay installed packages you can see they are getting installed from
~/.config/yay/package_name. But for my libgdata, it simply says[ALPM] installed libgdata (0.18.1-5).You can also check the build/install date of a package with pacman -Qi