Update - 18:55 UTC - The Arch Linux team put up an official announcement now:
We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:
- Creating new accounts on the AUR
- Pushing package updates
- Adopting or creating new packages
We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.
Original article below:
Looks like the Arch Linux AUR (Arch User Repository) needs some better security and package checks - as some malicious users compromised a lot of packages.
For those who aren't clear on the details - the AUR is a community-driven way of providing extra software for Arch Linux. Anyone can submit a package to it. This is completely separate to the actual Arch Linux packages which were not hit.
There's a thread on the public AUR Mailing List with people reporting packages, where it seems like over 400 packages were hit with the issue. Arch packager Jonathan Grotelüschen mentioned work was ongoing to "reset/delete all malicious commits and ban the accounts".
From the packages that were changed, they were made to include npm (a package manager), which is then used to pull in some sort of keylogger / credentials stealer - so it's really quite a shocking security breach to have affected so many different packages.
Hopefully the mess will get sorted fully soon, and for some improvements to the packaging processes to prevent this from happening in future. Especially with the rise of AI bots, and how much easier this sort of thing has become thanks to them - it could end up a lot worse in future.
Oh dear.
Article taken from GamingOnLinux.com.
See more from me
You can also find comments for this article on social media: 
Quoting: Turkeysteaksfor anyone who doesn't use an AUR helper, I made this basic little bash script:Or just:
for dir in ~/AUR/*/
do
dir=${dir%*/}
echo "${dir}"
cd ${dir}
cat PKGBUILD | grep $1
cd ~/AUR/
done
if you don't keep your AUR packages in ~/AUR/, you will need to change that in the code.
run it with `./<script-name>.sh <bad-package>`. so for this one, if you do `./script.sh atomic` and any of them print anything, you have been compromised. If none of them do, you're hopefully safe.
grep atomic ~/AUR/*/PKGBUILDfor yay users:
grep atomic ~/.cache/yay/*/PKGBUILD :-)
Philadelphus 9 hours ago
Quoting: Liam Squires-HandIf they cannot do any checks - that's just a glaring flaw in the entire design of the AUR and so yes - it should be shut. If it's just going to repeatedly be a huge security issue like this, then why should it exist? It's dangerous.
I don't think that would be helpful in the long run. "Why should [the AUR] exist?" is a pertinent question. Presumably it exists because it fills a need. People encounter problems not solved by official packages, code up a solution, and want to share it without going through the hassle of making it an official package (for whatever reason, I can think of several legitimate ones). Other people encounter the same problems and find those proffered solutions. If it wasn't helpful in some capacity, the AUR wouldn't exist. We could shut it down, but doing so will not magically make those problems people have go away; someone would just set up another similar site to fill the vacuum (one not under the purview of the Arch team, this time).
It's like closing one beach for shark sightings. People will just go to another beach in a different jurisdiction, they're not going to stop swimming. If the Arch teams keeps the AUR around, they can try to improve its security (which I approve of, for the record); if they close it, they don't have much recourse if it turns out the "new AUR" that pops up turns out to be run by malicious actors after lots of people have swapped to it.
Quoting: Liam Squires-HandYou have a duty to act against those who would do that and remove that stuff.Quoting: JugglingJesterSorry, which part of arch user repository is that hard to understand?And this is a user comment section. I, as the person who runs it, still have a duty to ensure nefarious crap isn’t shared and spread. The same applies to the AUR and who run it, the same applies to literally any online service. Is that hard to understand?
But you have no duty to ensure it never happens in the first place - you'd have to manually (or AI-assisted) check every single post prior to releasing it.
Hardly a method that would facilitate communication.
And that's just text - with code it would be drastically more difficult to do, in this case it was rather easy to find the offending npm in an automated manner, but that's not a guarantee.
Not impossible, mind you, but putting that on a bunch of mostly volunteers seems out of the question.
The tl;dr here is that any platform online where someone can "put things" for free should inherently cause any user to be aware/cautious and not just blindly trust.
The AUR is no different in this than anything else.
I do agree they should add at least SOME kind of verification, but this problem will never go away entirely.
People are responsible for the consequences of their actions, and that very much includes trusting someone or something they shouldn't have online.
Everyone knows there are bad actors out there - so acting as if that wasn't the case is just foolish.
Last edited by TheSHEEEP on 13 Jun 2026 at 5:48 am UTC
Patreon
PayPal