Oh dear, the situation with the Arch Linux AUR got a fair bit worse since GamingOnLinux initially covered the malicious packages.
At the time the initial article was put up, there were a bit over 400 compromised packages on the Arch Linux Arch User Repository (AUR). That list of affected packages (source) rose quite sharply and checking again now there's nearly 2,000 noted. That's a lot of packages to be hit like this.
Later last night the attacks were reported to be continuing on "with obfuscated code", and another report in the early hours of this morning noting it's become "a little bit more elaborate". Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.
The AUR developers and maintainers are clearly going to need to rethink how the service is run. While it's a wonderful idea to let anyone come along and package extra apps and such if they're missing from Arch Linux repositories, anything left open in any way is going to cause problems. Especially so now in 2026, when Linux is clearly more popular than ever - anything Linux related like this is going to become a bigger target. And with AI bots too, making such a hit has become far easier.
At least some level of human review is going to be needed. Otherwise, this certainly won't be the last time we see the AUR having security problems.
Article taken from GamingOnLinux.com.
See more from me
You can also find comments for this article on social media: 
CharlieTheMadHatter 2 hours ago
If you haven't, it's about time to start!
mattaraxia 1 hour ago
The near complete lack of oversight and controls is basically the AUR's one feature that distinguishes it from everything else out there.
Last edited by mattaraxia on 14 Jun 2026 at 8:46 pm UTC
seflasporin 1 hour ago
Quoting: CharlieTheMadHatterIt's a grim reminder that one should ALWAYS check the PKGBUILD files.No one's going to check all the build files of every package on every update they use.
If you haven't, it's about time to start!
Quoting: kerossinThe best "solution" imo is to simply not update AUR packages often. I seldom run "paru -Syu".Quoting: CharlieTheMadHatterIt's a grim reminder that one should ALWAYS check the PKGBUILD files.No one's going to check all the build files of every package on every update they use.
If you haven't, it's about time to start!
Luckily for me, I have only a few (10-ish) AUR packages, and none of them seemed to have been compromised.
Last edited by coolitic on 14 Jun 2026 at 9:14 pm UTC
Quoting: ChrisznixDamnit, i had minitube installed, but not started it for months... fresh install with full password rotation, i guess?Did you update the package through AUR in the last few days without checking the PKGBUILD?
Quoting: kerossinNo one's going to check all the build files of every package on every update they use.You do not have to. AUR helpers like paru will show a diff for updates which in the best case only consist of changed version numbers and hashes.
But yes, those diffs should be checked for each and every update.
Quoting: kerossinNo one's going to check all the build files of every package on every update they use.It's only the AUR which is compromised, not the actual Arch repositories, where the vast majority of the installed packages will come from. And if you have more than, say, half a dozen AUR packages installed; then you're doing it wrong and you should probably use something like Debian where pretty much everything you could want is available from official repos.
apocalyptech 32 minutes ago
Quoting: kerossinNo one's going to check all the build files of every package on every update they use."No one" is too much of a stretch. I'm among the people who, yes, literally checks the contents of every PKGBUILD I've ever used (along with the contents of any bundled patches / ancillary files / etc). I've actually never used any helper apps for AUR content; I download manually, verify the contents of the PKGBUILD, verify that the package sources are set up properly, in many cases do checksum management myself, etc. Yeah, it's a lot more work, and it means that I'm constantly balancing the hassle of doing so versus Not Actually Using The Thing, but it's always struck me as the only sensible thing to do. The general community acceptance of automated AUR helpers which just blindly trust that source has always struck me as totally insane, and among the things I don't like about Arch.
Though amend "no one" to be "practically no one" and I'll agree. I'm sure people like me are in a very small minority.
Last edited by apocalyptech on 14 Jun 2026 at 9:34 pm UTC
Patreon
PayPal