π¬ Open Source & Linux Weekly - W24_2026
An npm worm and an Arch AUR attack open two supply-chain fronts, GitHub hardens npm v12, and Linux 7.1 ships this week
Supply-chain attacks ran through the week, a fresh one hijacking orphaned packages in the Arch User Repository days after JFrog detailed the IronWorm npm worm that signed its commits "claude," while GitHub moved to switch off the install behavior both abuse.
π€ What I Wrote This Week
His Code Backs Up the World. Now the Internet Wants Him Flogged.
He returned from retirement to save the code under every backup on Earth. The people he protects turned on him for how he did it. He has no regrets.
325 Million Monthly Downloads. One Unpaid Maintainer. They Came After Him.
One stray character broke the security of 400,000 dependent projects. The security industry and the press came after the man who fixed it. His response was blunt.
β‘ TL;DR
- IronWorm and a separate Arch User Repository compromise opened two supply-chain fronts, both pulling Rust infostealers through package flows that were supposed to be trusted.
- GitHub will make npm install scripts opt-in and block Git and remote-URL dependencies by default in npm v12, the direct counter to the worm wave.
- Linus Torvalds shipped Linux 7.1-rc7 on June 7 and called it the last one, putting stable 7.1 on track for June 14.
- linux-firmware added an AGENTS.md that restates its contribution rules for AI coding agents and credits Claude Opus 4.8 as a co-author.
- Microsoft's 2011 Secure Boot certificate expires June 27, and Red Hat is already shipping dual-signed shims for RHEL 8, 9, and 10.
π§ Linux
Torvalds ships 7.1-rc7, calls it the last one, and puts 7.1 on track for June 14
Linus Torvalds released Linux 7.1-rc7 on June 7 and signaled the cycle is closing, writing "as things look now this is the last rc" and saying he sees nothing "really scary" that would push the schedule. The candidate is not small but is smaller than the recent ones, with GPU drivers the largest area of fixes and networking just behind, the same networking churn he has tied to AI-assisted contributions for a month now. Stable 7.1 is tracking to June 14, which is the kernel the second-half distributions settle on, except for the interim Ubuntu 26.10 that is skipping it for 7.2.
Cache Aware Scheduling lands for the 7.2 merge window after years in review
The 7.2 merge window opens around mid-June once 7.1 is tagged, and its headline addition is Cache Aware Scheduling, led by Intel's Tim Chen and Chen Yu and merged into the scheduler tip tree as CONFIG_SCHED_CACHE. The feature tries to keep tasks that share data on the same last-level cache domain, cutting cache misses and cross-cache bouncing on processors that carry several caches, which is most server-class Intel and AMD silicon now. One ChaCha20 benchmark on an AMD EPYC Genoa system showed a 44 percent throughput improvement with the feature on.
NVIDIA's Nova driver keeps building out in the 7.2 Rust pull
Danilo Krummrich sent the main DRM Rust subsystem changes for Linux 7.2, with NVIDIA's open Nova driver, the modern successor to Nouveau, taking the bulk of the work. The pull adds more DRM Rust abstractions to mainline, support for higher-ranked lifetime types in Rust device drivers, and a GPUVM immediate-mode abstraction. Nova is still far from a daily-driver NVIDIA option, but the abstractions landing now are what every future Rust GPU driver will build on.
Microsoft's 2011 Secure Boot certificate expires June 27, and Red Hat is shipping dual-signed shims
Microsoft's 2011 Secure Boot signing certificate expires on June 27, 2026, after which no new bootloader can be signed with that key, though machines with the certificate already enrolled keep booting normally. Red Hat released new shim binaries on June 10 for RHEL 8, 9, and 10, signed with both the 2011 and 2023 Microsoft certificates so they validate whichever key the firmware carries. The cost is the firmware database update: pushing the 2023 key with fwupdmgr changes the TPM register PCR7, which breaks measured-boot disk unlocking until you reseal. If you run Secure Boot with a TPM-bound LUKS volume, read Red Hat's resealing steps before June 27, not after the machine stops unlocking.
KDE Plasma 6.7 ships June 16 with a living-room mode and a new theming engine
KDE put the final bug-fixing push on Plasma 6.7 this week ahead of the June 16 stable release, with contributors Nate Graham and John Veness writing "it's looking really good for release next Tuesday." The release adds Plasma Bigscreen, a remote-controlled interface for televisions and living-room machines, ships the first tech preview of Union, a new theming engine, and brings per-monitor virtual desktops. Bringing back a serious Bigscreen effort is KDE making a play for the same couch the Steam Machine is aiming at this summer.
Yserver, a from-scratch X11 server in Rust, reaches 1.0 with help from Claude Code
A developer working as joske on GitHub tagged Yserver 1.0 on June 11 and 1.1 the next day, an X11 display server written from scratch in Rust that drives DRM/KMS and Vulkan directly and runs without root through libseat. It already starts MATE, Xfce, and Cinnamon sessions on AMD, Intel, Qualcomm, and Apple silicon running Asahi Linux, and it keeps GLX rather than dropping it, including the texture-from-pixmap path that compositors need. The repository ships an AGENTS.md and a CLAUDE.md because it was built with Claude Code. Distributions are dropping X11 sessions this season, and one developer just shipped a working X11 server in Rust anyway.
Wine 11.11 drops its aging TomCrypt for Microsoft's SymCrypt
The June 12 development release replaces Wine's old bundled TomCrypt with Microsoft's open-source SymCrypt behind the bcrypt and rsaenh modules, which cuts memory leaks and speeds up the hashing that older Windows installers depend on. The experimental Wayland driver gained layered windows through the alpha-modifier-v1 protocol, fixing transparency and overlay menus in native Wayland sessions, and the VBScript engine moved to compile-time variable binding. Reaching for Microsoft's own crypto primitives to run Windows software is a pragmatic call that should mean fewer crypto edge cases in the installers Wine has always fought with.
𧩠Open Source
IronWorm rode trusted publishing into npm and signed its commits "claude"
JFrog Security Research disclosed IronWorm on June 3, a Rust-built npm worm that pushed 40 malicious versions from the compromised asteroiddao account across nine GitHub organizations. The 976 KB Rust binary runs from a preinstall hook before dependency resolution, drops an eBPF kernel rootkit that hides its own processes and network sockets, and beacons to its operator over Tor; for spread it uses npm's trusted-publishing OIDC flow on any CI runner with active federation, exchanging the runner's identity token for a package-scoped publish token and republishing itself with no stored credential to steal. It sweeps 86 environment variables and more than 20 credential files, including keys for Anthropic, OpenAI, Gemini, and a dozen other AI providers, and the malicious commits were authored as "claude" to pass as an AI coding assistant. The operator hardcoded their own recovery phrase into the wallet-stealer skip list, which is how JFrog tied the campaign to a single wallet. This is the third trusted-publishing abuse in three weeks. Trusted publishing removed long-lived tokens as a target and moved the prize to whatever the CI runner is allowed to publish, which is the surface every one of these worms now hits.
A second supply-chain front opens in the Arch User Repository
Arch Linux confirmed an active malicious-package incident in the AUR on June 12, separate from the npm worm. Attackers adopted orphaned AUR packages through the normal stewardship process and altered their PKGBUILD scripts to pull malicious code at build time. The AUR team temporarily froze new account creation, package pushes, and orphan adoptions while it cleaned up, and told users to review every PKGBUILD and install-script change. Security vendor Sonatype, which named the campaign Atomic Arch, reported that the altered builds pull three malicious npm packages (atomic-lockfile, js-digest, lockfile-js) carrying a Rust infostealer that sweeps SSH keys, tokens, and messaging-app credentials, and counted roughly 400 affected packages with later estimates climbing toward 1,500. IronWorm rode npm's trusted-publishing flow and this rode Arch's orphan-adoption policy. Both hit the same weakness, volunteer-maintained packages that inherit trust by default.
GitHub will turn off the npm install behavior these worms depend on
GitHub announced on June 9 that npm v12, due in July, will stop running preinstall, install, and postinstall scripts from dependencies unless a project explicitly approves them, block Git dependencies unless --allow-git is set, and refuse to resolve remote-URL dependencies such as HTTPS tarballs without --allow-remote. All three are already available behind warnings in npm 11.16.0, so teams can run npm approve-scripts and commit the approved list before the upgrade lands. The install script that fires automatically is the entry point for nearly every worm in this newsletter for the past month, so turning it off by default stops most of them, even if it breaks a lot of working setups in July.
OpenSSL patches a PKCS#7 heap use-after-free, found again with an AI assistant
OpenSSL published a fix on June 9 for CVE-2026-45447, a high-severity heap use-after-free in PKCS#7 signature verification that triggers on a message carrying an empty ASN.1 SET in the SignedData digestAlgorithms field, which can lead to heap corruption, a crash, or possibly remote code execution when verifying crafted PKCS#7 or S/MIME messages. Thai Duong of Calif.io found it working with Claude and Anthropic Research, in a release where Anthropic's Alex Gaynor was credited for reporting several of the other fixed flaws. The same pattern that surfaced the HTTP/2 Bomb in last week's edition is now finding memory-safety bugs in the library that terminates most of the web's TLS.
linux-firmware adds an AGENTS.md, with Claude credited as a co-author
Red Hat engineer Josh Boyer opened a merge request on June 8 that adds an AGENTS.md to linux-firmware.git, the repository that holds the binary firmware most Linux drivers load. The file restates the contribution rules in the order an AI coding agent needs them: the WHENCE provenance model, how to add or update firmware, the make check gate, and commit conventions. It is registered in the existing check_whence.py so the file is validated like the README and the other known files, and the change carries a Co-Authored-By trailer crediting Claude Opus 4.8. This is one merge request, not a kernel policy, but it is one of the first times a core piece of Linux plumbing has written its contribution rules for machines as much as for people.
Go ships a structured pkg.go.dev API, aimed in part at AI agents
The Go team released a stateless, read-only v1beta JSON API for pkg.go.dev on June 12, exposing package and module metadata, symbols, search, version history, import relationships, and vulnerability data, with a published OpenAPI spec and a reference pkgsite-cli client. The team calls it one of the most requested pkg.go.dev features and frames it openly as a way for AI coding tools to query the Go ecosystem instead of scraping web pages. Structured data an agent can read without guessing is the unglamorous groundwork the rest of this week's agent news runs on.
The Linux Foundation launches OpenSharing to standardize AI asset exchange
The Linux Foundation announced OpenSharing on June 10, a vendor-neutral protocol for sharing AI assets across organizations and platforms, including agent skills, models, and unstructured data, contributed by Databricks with Stripe, MinIO, LSEG, Cotality, and Kythera Labs among the backers. The pitch is to replace point-to-point integrations and proprietary marketplaces with one open exchange format. "Delta Sharing proved the industry would choose open over locked-in. OpenSharing extends that principle to the full AI stack," said Databricks co-founder and CTO Matei Zaharia. A protocol is only as neutral as its second and third implementations, so the signal to watch is whether anyone outside the contributor list ships one.
π Gems & Tools
The June release reworks dashboard editing around a card picker that opens on a structured tree of floors, areas, devices, and entities, and adds the ability to receive infrared commands so a physical remote updates device state in Home Assistant. The dashboard editor alone cuts new-card setup from minutes of YAML to a few clicks.
Apple tagged 1.0 of its open-source container tool at WWDC on June 9, a Swift program that runs OCI-compatible Linux containers as light virtual machines on Apple silicon, now with a persistent container machine for long-lived workloads. If you build on an M-series Mac and want Linux containers without Docker Desktop, this is now a stable option.
GitHub Copilot CLI: LSP Setup and /security-review
GitHub added two things to Copilot CLI on June 10: an LSP Setup skill that configures language servers for 14 languages so the agent resolves types and definitions instead of grepping, and a /security-review command that scans local changes for injection, cross-site scripting, path traversal, and weak crypto before they reach CI. Both are worth turning on if you already work in Copilot CLI.
Google's GKE Labs open-sourced OpenRL on June 11, a self-hosted, Tinker-compatible API for reinforcement-learning fine-tuning of language models on your own Kubernetes, with primitives for model creation, sampling, scoring, and optimization and support for LoRA. For teams that want post-training to stay on their own GPUs, it is a ready-made endpoint rather than a managed service.
Perplexity's read-only developer-endpoint scanner, a single Go binary with zero non-stdlib dependencies, reads the on-disk traces of eight package ecosystems plus MCP server configs and editor and browser extensions, without executing anything, to flag exposure to known supply-chain compromises. Given the month npm just had, a dependency-free scanner you can point at a laptop or a CI runner is worth a look.
Proton Experimental, June build
Valve's fast-moving Proton branch picked up fixes for Forza Horizon 6, Homeworld 2, and Shogun: Total War this month, and folded in the Proton 11 changes. If a game broke for you on stable Proton, this is the branch to test before filing a bug.
π Spotlight
Tim Chen, software engineer, Intel
Chen is one of the two Intel engineers, with Chen Yu, behind Cache Aware Scheduling, the kernel scheduler change queued for the Linux 7.2 merge window this week. The work teaches the scheduler about last-level cache topology so that tasks sharing data land on the same cache domain, which cuts the cache misses and cross-cache traffic that quietly tax modern many-core chips. The payoff on the right workload is large: one ChaCha20 run on an AMD EPYC Genoa system gained 44 percent throughput with the feature enabled.
What stands out is the patience. The series ran through four revisions and more than a year of review, with Chen and Chen Yu steadily adding the guardrails reviewers asked for: a static key so the feature only engages on chips with multiple caches, opt-outs for processes with high thread counts or large memory footprints, and user controls to tune the tolerance. That is the opposite of the late, oversized, AI-assisted churn Torvalds spent this same cycle flagging on the networking side. A core scheduler change earns its way into the tree slowly, and this one did.
That is the week. Run npm approve-scripts before v12 lands, patch OpenSSL, reseal your TPM before the Secure Boot deadline, and read the changelog before you skip 7.1.
See you next week!
You can find me on Medium, X, Bluesky, Mastodon, and Threads.