Support us on Patreon
PayPalUpdate - 18:55 UTC - The Arch Linux team put up an official announcement now:
We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following:
- Creating new accounts on the AUR
- Pushing package updates
- Adopting or creating new packages
We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.
Original article below:
Looks like the Arch Linux AUR (Arch User Repository) needs some better security and package checks - as some malicious users compromised a lot of packages.
For those who aren't clear on the details - the AUR is a community-driven way of providing extra software for Arch Linux. Anyone can submit a package to it. This is completely separate to the actual Arch Linux packages which were not hit.
There's a thread on the public AUR Mailing List with people reporting packages, where it seems like over 400 packages were hit with the issue. Arch packager Jonathan Grotelüschen mentioned work was ongoing to "reset/delete all malicious commits and ban the accounts".
From the packages that were changed, they were made to include npm (a package manager), which is then used to pull in some sort of keylogger / credentials stealer - so it's really quite a shocking security breach to have affected so many different packages.
Hopefully the mess will get sorted fully soon, and for some improvements to the packaging processes to prevent this from happening in future. Especially with the rise of AI bots, and how much easier this sort of thing has become thanks to them - it could end up a lot worse in future.
Oh dear.
Article taken from GamingOnLinux.com.
See more from me
You can also find comments for this article on social media: 
Spoiler, click me
$ ./aur_check-v2.sh --full
============================================================
AUR Malware Check v2.3.3
Campaign: malicious npm packages (malicious_npm_packages.txt) infostealer + eBPF rootkit
Date window: 2026-06-09 to 2026-06-12
Packages checked: 1619
============================================================
--- [1] Currently installed foreign packages ---
Clean: no infected packages installed within campaign window.
--- [2] Historical pacman logs ---
Clean: no historical log matches found.
--- [3] Systemd persistence check ---
Clean: no suspicious systemd services found.
--- [4] eBPF rootkit check ---
Clean: no eBPF rootkit traces detected.
--- [5] npm cache check ---
Clean: no malicious packages in npm cache.
--- [6] bun cache check ---
Clean: no malicious packages in bun cache.
============================================================
RESULT: CLEAN - No indicators found.
============================================================most of my packages were no longer updated for a long time so it was a good thing for me to make me clean up old junk from yesteryears anyway.
Last edited by Xpander on 14 Jun 2026 at 5:59 am UTC
Quoting: VulpisFoxfireApologies for breaking into this (as I'm a Mint user, not an Arch one), but a friend pointed me at this thread, and I couldn't help but notice a glaring omission on the topic of newbies/people who don't know the nitty-gritty using Arch..SteamOS is built on customized, immutable snapshots of Arch. Installing software from the AUR is possible but takes some effort. I doubt you'll find a large percentage of Steam Deck users affected by this incident.
IIRC, SteamOS is Arch-based, isn't it? So right there, you have a load of people using Arch (or at least an Arch derivative) not particularly as an informed choice, or an educational one, but because that's what's installed on their gaming device.