Support us on Patreon
PayPalOh dear, the situation with the Arch Linux AUR got a fair bit worse since GamingOnLinux initially covered the malicious packages.
At the time the initial article was put up, there were a bit over 400 compromised packages on the Arch Linux Arch User Repository (AUR). That list of affected packages (source) rose quite sharply and checking again now there's nearly 2,000 noted. That's a lot of packages to be hit like this.
Later last night the attacks were reported to be continuing on "with obfuscated code", and another report in the early hours of this morning noting it's become "a little bit more elaborate". Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.
The AUR developers and maintainers are clearly going to need to rethink how the service is run. While it's a wonderful idea to let anyone come along and package extra apps and such if they're missing from Arch Linux repositories, anything left open in any way is going to cause problems. Especially so now in 2026, when Linux is clearly more popular than ever - anything Linux related like this is going to become a bigger target. And with AI bots too, making such a hit has become far easier.
At least some level of human review is going to be needed. Otherwise, this certainly won't be the last time we see the AUR having security problems.
Article taken from GamingOnLinux.com.
See more from me
You can also find comments for this article on social media: 
Quoting: shadowofwardSo what distro is safe now? Anyone know a gaming centered disrto not based on arch? I was using cachyOS but im ready to try anything thats fast stable and not arch based, Anyone??Try Bazzite. Flatpak has never been hit by malware thanks to the high level of human oversight.
Quoting: apocalyptechSame. I check the PKGBUILD and look at the latest commit for the changes, it's all right there on the package's AUR page and easy to do. If it's a package you already use and trust then "Package Actions -> View Changes" and it's usually just an update bump anyway.Quoting: kerossinNo one's going to check all the build files of every package on every update they use."No one" is too much of a stretch. I'm among the people who, yes, literally checks the contents of every PKGBUILD I've ever used (along with the contents of any bundled patches / ancillary files / etc). I've actually never used any helper apps for AUR content; I download manually, verify the contents of the PKGBUILD, verify that the package sources are set up properly, in many cases do checksum management myself, etc. Yeah, it's a lot more work, and it means that I'm constantly balancing the hassle of doing so versus Not Actually Using The Thing, but it's always struck me as the only sensible thing to do. The general community acceptance of automated AUR helpers which just blindly trust that source has always struck me as totally insane, and among the things I don't like about Arch.
Though amend "no one" to be "practically no one" and I'll agree. I'm sure people like me are in a very small minority.
If people can't be bothered to check then it's on them or they shouldn't be using Arch.