Oh dear, the situation with the Arch Linux AUR got a fair bit worse since GamingOnLinux initially covered the malicious packages.
At the time the initial article was put up, there were a bit over 400 compromised packages on the Arch Linux Arch User Repository (AUR). That list of affected packages (source) rose quite sharply and checking again now there's nearly 2,000 noted. That's a lot of packages to be hit like this.
Later last night the attacks were reported to be continuing on "with obfuscated code", and another report in the early hours of this morning noting it's become "a little bit more elaborate". Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.
The AUR developers and maintainers are clearly going to need to rethink how the service is run. While it's a wonderful idea to let anyone come along and package extra apps and such if they're missing from Arch Linux repositories, anything left open in any way is going to cause problems. Especially so now in 2026, when Linux is clearly more popular than ever - anything Linux related like this is going to become a bigger target. And with AI bots too, making such a hit has become far easier.
At least some level of human review is going to be needed. Otherwise, this certainly won't be the last time we see the AUR having security problems.
Article taken from GamingOnLinux.com.
About the author - Liam Squires-Hand
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can follow me personally on Mastodon [External Link].
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
26 comments
Quoting: shadowofwardSo what distro is safe now? Anyone know a gaming centered disrto not based on arch? I was using cachyOS but im ready to try anything thats fast stable and not arch based, Anyone??Try Bazzite. Flatpak has never been hit by malware thanks to the high level of human oversight.
0 Likes
Quoting: apocalyptechSame. I check the PKGBUILD and look at the latest commit for the changes, it's all right there on the package's AUR page and easy to do. If it's a package you already use and trust then "Package Actions -> View Changes" and it's usually just an update bump anyway.Quoting: kerossinNo one's going to check all the build files of every package on every update they use."No one" is too much of a stretch. I'm among the people who, yes, literally checks the contents of every PKGBUILD I've ever used (along with the contents of any bundled patches / ancillary files / etc). I've actually never used any helper apps for AUR content; I download manually, verify the contents of the PKGBUILD, verify that the package sources are set up properly, in many cases do checksum management myself, etc. Yeah, it's a lot more work, and it means that I'm constantly balancing the hassle of doing so versus Not Actually Using The Thing, but it's always struck me as the only sensible thing to do. The general community acceptance of automated AUR helpers which just blindly trust that source has always struck me as totally insane, and among the things I don't like about Arch.
Though amend "no one" to be "practically no one" and I'll agree. I'm sure people like me are in a very small minority.
If people can't be bothered to check then it's on them or they shouldn't be using Arch.
0 Likes
The real issue with Arch IMHO is that it never really moved with the times (or, at the very least, it was extremely late to the party). Even though Linux as a whole has become more popular and the user base has exploded in numbers in the past few years, and even though Arch specifically has become very popular among new users due to it being the distro of choice for the Steamdeck, Arch as a project has (or had until very recently) stagnated and kept using tools and policies that simply don't make sense in this day and age even if they were really cool as a concept back in the day (or maybe they do still make sense for power users but are an absolute deathtrap for casual users), with the Wild West that is the AUR (a great analogy, btw) being a good example.
One of those policies that they've never changed, and which could work wonders for low-level bureaucratic stuff like managing the AUR, is their approach to recruiting new volunteers. Currently, it's a process that requires sponsoring (!) from a couple of already established Trusted Users. This word-of-mouth, spit-and-handshake approach of recruiting (instead of a proper meritocratic vetting process for which anybody could apply, like a job interview so to speak) is impractical in this day and age and spells doom for a purely volunteer-driver project like Arch, because it starves their recruitment flows. It has lead to Arch having serious deficiencies in developer power (just a casual look through some of the mailing list threads of, say, the last couple of years can easily showcase this) which has in turn lead to all kinds of derivative issues, one of them being that Arch can't implement major changes to its tools and policies (at least in a timely manner) even if the team actually want to implement them (they're not idiots).
In regards to the AUR, this lack of manpower means both that it exists today as a free-for-all, unregulated cesspool that allows script kiddies to upload their vibe-coded "hacks" and scams at their leisure, completely unsupervised by anyone, and also that when this cesspool eventually explodes in our faces, like now, the Arch team simply don't have the manpower to do something really drastic about it other than limiting access or even pulling the plug altogether, unless some third party gets involved to provide assistance.
I *really* hope I'm wrong about this and that Arch finds a way to implement a good and timely solution for this issue that doesn't include severely hampering the AUR for regular Arch users, but even if I'm wrong, I still *really* hope that they implement a better process for recruiting new volunteers, because that issue *is* seriously hampering them and Arch desperately needs more people.
One of those policies that they've never changed, and which could work wonders for low-level bureaucratic stuff like managing the AUR, is their approach to recruiting new volunteers. Currently, it's a process that requires sponsoring (!) from a couple of already established Trusted Users. This word-of-mouth, spit-and-handshake approach of recruiting (instead of a proper meritocratic vetting process for which anybody could apply, like a job interview so to speak) is impractical in this day and age and spells doom for a purely volunteer-driver project like Arch, because it starves their recruitment flows. It has lead to Arch having serious deficiencies in developer power (just a casual look through some of the mailing list threads of, say, the last couple of years can easily showcase this) which has in turn lead to all kinds of derivative issues, one of them being that Arch can't implement major changes to its tools and policies (at least in a timely manner) even if the team actually want to implement them (they're not idiots).
In regards to the AUR, this lack of manpower means both that it exists today as a free-for-all, unregulated cesspool that allows script kiddies to upload their vibe-coded "hacks" and scams at their leisure, completely unsupervised by anyone, and also that when this cesspool eventually explodes in our faces, like now, the Arch team simply don't have the manpower to do something really drastic about it other than limiting access or even pulling the plug altogether, unless some third party gets involved to provide assistance.
I *really* hope I'm wrong about this and that Arch finds a way to implement a good and timely solution for this issue that doesn't include severely hampering the AUR for regular Arch users, but even if I'm wrong, I still *really* hope that they implement a better process for recruiting new volunteers, because that issue *is* seriously hampering them and Arch desperately needs more people.
0 Likes
Quoting: dibzThe real answer is for people to get over the idea of rolling distros, they've always been dangerous like this, and always will be. Most people don't actually need the latest and greatest, or only need very specific things that are.The official ARCH rolling release repos were not affected. Quite the contrary. Only some of the old & unmaintained AUR repos were affected and that goes against your "rolling release is bad" idea.
In the professional world things like immutable distros and verified images and such are coming full circle to "solve" this problem thatnever used to existused to be a niche crowd. Or you know, flatpaks, snaps, appimages, pick one - they're all solutions to the same issue.
If anything, rolling release gets you fixes for whatever problem the fastest while traditional distros like ubuntu take the longest to update or never do since they have EOL cycles.
Flatpaks, snaps & appimages all have the same trust problem as AUR because not all of them are fully contained within their sandbox; many require additional access to function and you just trust them to not require more than they need. They are all third party apps that you use at your own risk on top of whatever immutable system you might have.
Whatever you might be using, there is always a level of risk because you have to blindly trust the people that made it and there's no way to objectively measure someone's trustworthiness.
0 Likes
Quoting: StellaFlatpak has never been hit by malware thanks to the high level of human oversight.We don't know that because nobody really bothers to review flatpaks since they do not belong to any single organization. Ownership is fragmented between unaffiliated maintainers who report to no one but themselves.
The only "human oversight" any flatpak, snap or appimage gets is that of its maintainer which may or may not have bad intentions.
What we do know for a fact is that many flatpaks, snaps and appimages are left unmaintained for months or years at a time. And that's exactly the problem that started the whole AUR debacle.
0 Likes
Quoting: NociferThe real issue with Arch IMHO is that it never really moved with the times. Arch as a project has (or had until very recently) stagnated and kept using tools and policies that simply don't make sense in this day and age even if they were really cool as a concept back in the day.This is simply not true.
The "obsolete arch policies" that you mention do not exist since the whole point of the project is to allow people to do whatever they want. You can use whatever filesystem, desktop environment, compositor or any other subsystems in any combination you want. That's the whole point. You decide how "obsolete" your system will be.
If anything, arch set the gold standard when it comes to Linux documentation. No other distro even comes close. And that's something they pioneered throw a community effort which isn't something to sneeze at.
This whole AUR debacle, even though it's pretty serious, was handled with the utmost professionalism. The whole attack was discovered and patched less than 2 weeks after it started. You don't really get faster fixes than that which is why many people, like myself, were not affected at all.
0 Likes
Patreon
PayPal