Update - 18:55 UTC - The Arch Linux team put up an official announcement now:
We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:
- Creating new accounts on the AUR
- Pushing package updates
- Adopting or creating new packages
We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.
Original article below:
Looks like the Arch Linux AUR (Arch User Repository) needs some better security and package checks - as some malicious users compromised a lot of packages.
For those who aren't clear on the details - the AUR is a community-driven way of providing extra software for Arch Linux. Anyone can submit a package to it. This is completely separate to the actual Arch Linux packages which were not hit.
There's a thread on the public AUR Mailing List with people reporting packages, where it seems like over 400 packages were hit with the issue. Arch packager Jonathan Grotelüschen mentioned work was ongoing to "reset/delete all malicious commits and ban the accounts".
From the packages that were changed, they were made to include npm (a package manager), which is then used to pull in some sort of keylogger / credentials stealer - so it's really quite a shocking security breach to have affected so many different packages.
Hopefully the mess will get sorted fully soon, and for some improvements to the packaging processes to prevent this from happening in future. Especially with the rise of AI bots, and how much easier this sort of thing has become thanks to them - it could end up a lot worse in future.
Oh dear.
Article taken from GamingOnLinux.com.
About the author - Liam Squires-Hand
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can follow me personally on Mastodon [External Link].
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
52 comments
Quoting: Turkeysteaksfor anyone who doesn't use an AUR helper, I made this basic little bash script:Or just:
for dir in ~/AUR/*/
do
dir=${dir%*/}
echo "${dir}"
cd ${dir}
cat PKGBUILD | grep $1
cd ~/AUR/
done
if you don't keep your AUR packages in ~/AUR/, you will need to change that in the code.
run it with `./<script-name>.sh <bad-package>`. so for this one, if you do `./script.sh atomic` and any of them print anything, you have been compromised. If none of them do, you're hopefully safe.
grep atomic ~/AUR/*/PKGBUILDfor yay users:
grep atomic ~/.cache/yay/*/PKGBUILD :-)
1 Likes 👍 (1) See more...
Philadelphus 19 hours ago
That's how you know it's The Year of the Linux Deskptop – we've reached enough market share to make it worth someone's time trying to go after consumers.
I don't think that would be helpful in the long run. "Why should [the AUR] exist?" is a pertinent question. Presumably it exists because it fills a need. People encounter problems not solved by official packages, code up a solution, and want to share it without going through the hassle of making it an official package (for whatever reason, I can think of several legitimate ones). Other people encounter the same problems and find those proffered solutions. If it wasn't helpful in some capacity, the AUR wouldn't exist. We could shut it down, but doing so will not magically make those problems people have go away; someone would just set up another similar site to fill the vacuum (one not under the purview of the Arch team, this time).
It's like closing one beach for shark sightings. People will just go to another beach in a different jurisdiction, they're not going to stop swimming. If the Arch teams keeps the AUR around, they can try to improve its security (which I approve of, for the record); if they close it, they don't have much recourse if it turns out the "new AUR" that pops up turns out to be run by malicious actors after lots of people have swapped to it.
Quoting: Liam Squires-HandIf they cannot do any checks - that's just a glaring flaw in the entire design of the AUR and so yes - it should be shut. If it's just going to repeatedly be a huge security issue like this, then why should it exist? It's dangerous.
I don't think that would be helpful in the long run. "Why should [the AUR] exist?" is a pertinent question. Presumably it exists because it fills a need. People encounter problems not solved by official packages, code up a solution, and want to share it without going through the hassle of making it an official package (for whatever reason, I can think of several legitimate ones). Other people encounter the same problems and find those proffered solutions. If it wasn't helpful in some capacity, the AUR wouldn't exist. We could shut it down, but doing so will not magically make those problems people have go away; someone would just set up another similar site to fill the vacuum (one not under the purview of the Arch team, this time).
It's like closing one beach for shark sightings. People will just go to another beach in a different jurisdiction, they're not going to stop swimming. If the Arch teams keeps the AUR around, they can try to improve its security (which I approve of, for the record); if they close it, they don't have much recourse if it turns out the "new AUR" that pops up turns out to be run by malicious actors after lots of people have swapped to it.
3 Likes 👍 (3) See more...
Quoting: Liam Squires-HandYou have a duty to act against those who would do that and remove that stuff.Quoting: JugglingJesterSorry, which part of arch user repository is that hard to understand?And this is a user comment section. I, as the person who runs it, still have a duty to ensure nefarious crap isn’t shared and spread. The same applies to the AUR and who run it, the same applies to literally any online service. Is that hard to understand?
But you have no duty to ensure it never happens in the first place - you'd have to manually (or AI-assisted) check every single post prior to releasing it.
Hardly a method that would facilitate communication.
And that's just text - with code it would be drastically more difficult to do, in this case it was rather easy to find the offending npm in an automated manner, but that's not a guarantee.
Not impossible, mind you, but putting that on a bunch of mostly volunteers seems out of the question.
The tl;dr here is that any platform online where someone can "put things" for free should inherently cause any user to be aware/cautious and not just blindly trust.
The AUR is no different in this than anything else.
I do agree they should add at least SOME kind of verification, but this problem will never go away entirely.
People are responsible for the consequences of their actions, and that very much includes trusting someone or something they shouldn't have online.
Everyone knows there are bad actors out there - so acting as if that wasn't the case is just foolish.
Last edited by TheSHEEEP on 13 Jun 2026 at 5:48 am UTC
0 Likes
The count of affected packages quadrupled:
https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500
https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500
0 Likes
Quoting: ExplosiveDiarrheaThat's like saying "people who can't swim can drown in the sea, so we should have every single access to the sea guarded and protected at all time".This is actually something that is and has been happening in Germany for several years – some lawyers figured that they could extract money from mayors of small cities that have a small lake somewhere where children without parental supervision had accidents. The end result is that there is an effort to build fences around lakes and remove accessible piers.
That is insane...
--
Addendum: The thing is – automatic AUR helpers have been warned against time and time since I first saw them. If anything should be stopped it is them. You cannot stop people from copying random commands from a random website or opening suspicious email attachments or using the same password all over the web. Discontinuing the AUR is a really bad idea since it can be a useful resource for looking up information about packages. The only way to force people to be safe is to lock them into a room without access to water/electricity/internet, other people and the sun. All those things can harm you.
The helpers like npm and all the weird python/rust/etc installers are a huge risk to download and execute random code from the web.
Last edited by Klaas on 13 Jun 2026 at 9:25 am UTC
4 Likes 👍 (3)😢 (1) See more...
One-liner to check locally-installed packages against the [published list](https://lists.archlinux.org/archives/list/[email protected]/message/FCH7TT6IOVT7D477JKSVJALBKADAARSW/):
I do have 5 matches on my system, but I am not really worried, as I update my AUR packages maybe twice a year 😅
pacman -Qq | grep -xFf <(curl "https://md.archlinux.org/s/SxbqukK6IA/download")I do have 5 matches on my system, but I am not really worried, as I update my AUR packages maybe twice a year 😅
0 Likes
Quoting: SlaxerThis is pretty bad. Luckily, I don't have too many packages from the AUR. I think I'm fine, thank God.In my opinion, people that will benefit from using Arch are not the ones that usually ask you for a Linux distro recommendation. That's the reason I have never recommended Arch. It's my distro of choice, but IMO for most Linux users it's a bad choice.
Quoting: doragasuAUR does not have package checks by definition, it puts that weight on the user.We all start off as beginners. You don't have to not recommend it. If you do recommend it, just explain the reasons for why someone would want to try Arch. Arch is for people who are interested in really learning how to do things on their own, and don't mind scraping their knees a bit by learning things the hard way. It's also good for people that just want to be aware of every package on a clean install.
As I always say, I have been using Arch as my main distro for 10+ years, and despite that (maybe because of that) I never recommend Arch!
My first distro was Slackware, and I reckon it's much harder to get into as a beginner than Arch is, especially during the mid 2000s. If I can learn my way through it, anybody can.
2 Likes 👍 (2) See more...
Quoting: MayeulCOne-liner to check locally-installed packages against the [published list](https://lists.archlinux.org/archives/list/[email protected]/message/FCH7TT6IOVT7D477JKSVJALBKADAARSW/):I had 3 matches:
pacman -Qq | grep -xFf <(curl "https://md.archlinux.org/s/SxbqukK6IA/download")
I do have 5 matches on my system, but I am not really worried, as I update my AUR packages maybe twice a year 😅
mingw-w64-libcroco
mingw-w64-pcre
mingw-w64-sdl
But most recently updated one was on december 2025, and I am quite careful with AUR. I use pikaur and always check the package build files on first install, and the diffs on updates.
Last edited by doragasu on 13 Jun 2026 at 1:05 pm UTC
0 Likes
I am sorry but the Arch team HAS to drop the whole "Use at your own risk" part to remove ANY responsibility of moderating the AUR.. they either should START moderating the AUR or drop it
Last edited by tohur on 13 Jun 2026 at 3:25 pm UTC
Last edited by tohur on 13 Jun 2026 at 3:25 pm UTC
0 Likes
Quoting: doragasubut IMO for most Linux users it's a bad choice.I gotta point out that it's #12 on Distrowatch and one of the most used distros on the Steam charts, just behind Cachy. It's quite popular. I reckon it's that stupid meme got people to use it, but either way, lots of people are up for the challenge of learning. That "I use Arch btw" meme has to die at some point anyway. If you can follow instructions well enough to make a batch of brownies, you can install Arch.
0 Likes
Turkeysteaks 1 hour ago
Quoting: pbOr just:Lol I thought I was being so clever - that's much cleaner, thank you! I didn't know grep could do multiple files at once without combining them in some way. Appreciate it
grep atomic ~/AUR/*/PKGBUILD
for yay users:grep atomic ~/.cache/yay/*/PKGBUILD:-)
0 Likes
Quoting: SlaxerWell, in mt case I started using it because I was finding myself using the Arch wiki so often. It's a great resource. By the point I switched, I was already quite familiar with Linux internals, and the arch wiki. So I switched from Slackware, and don't regret it one bit. I think my next distro will be Guix (or maybe Nix), or an immutable like Kionite.Quoting: doragasubut IMO for most Linux users it's a bad choice.I gotta point out that it's #12 on Distrowatch and one of the most used distros on the Steam charts, just behind Cachy. It's quite popular. I reckon it's that stupid meme got people to use it, but either way, lots of people are up for the challenge of learning. That "I use Arch btw" meme has to die at some point anyway. If you can follow instructions well enough to make a batch of brownies, you can install Arch.
Anyway, that probably changed as it became a meme, but I had always seen (circa 2013 at least) "I use Arch by the way" in troubleshooting posts, where the distro was not necessarily immediately relevant, more of a late addition to a question, as it may be a relevant info for the person helping troubleshoot. You could find these on github issues (project not working/bug), linuxquestions (something like X11 woes), or SuperUser/stackoverflow (though less common).
I still do not recommend it to beginners, unless they are technically minded, and interested in having have a crash course. I learned so much when switching to Arch, I don't regret it one bit. And the AUR is so much ahead of its Slackware equivalent (I think it was one of the main motivations).
As for the install process, it's reportedly much easier now, there's even arch install. Though pacstrap isn't terribly complicated.
0 Likes
Patreon
PayPal