AUR packages compromised with Infostealer and Rootkit
keyle
283 points
215 comments
June 12, 2026
Related Discussions
Found 5 related stories in 102.9ms across 10,324 title embeddings via pgvector HNSW
- Over 900 Arch Linux Packages Infected with infostealers and rootkits fortran77 · 20 pts · June 12, 2026 · 78% similar
- Arch Linux's AUR Sees More Than 400 Packages Compromised with Malware spiros · 32 pts · June 12, 2026 · 68% similar
- There is a bunch of malware being spotted in the AUR Velocifyer · 13 pts · June 11, 2026 · 67% similar
- Over 400 Malicious packages found in Arch AUR Hydrocarb0n · 11 pts · June 12, 2026 · 63% similar
- For the 2nd time in weeks, Microsoft packages laced with credential stealer cdrnsf · 40 pts · June 08, 2026 · 52% similar
Discussion Highlights (20 comments)
UI_at_80x24
Here's an easy script to scan for compromised packages: https://cscs.pastes.sh/aurvulntest20260611.sh Not my script. It's easy to read/parse. Never pipe a script directly to bash.
lordleft
This is especially gnarly as more people have been picking up arch distros as of late (like CachyOS).
keyle
More news is coming out about this: https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised I toyed with the idea that someone should write a binary that simply emails, or alert you when it's been run... as a canary... and call that `npm`. At this point, not renaming the npm binary is a big risk.
nialv7
third time this has happened: https://news.ycombinator.com/item?id=17501379 https://news.ycombinator.com/item?id=44607740
sph
Be aware of false positives! I found I had two of these packages installed, clang19 and compiler-rt19, but due to my recent laziness in updating my system, mine were still the versions from July 2025 from the official repos before they had relegated them to AUR. You can check the build and install date with `pacman -Qi <package>`. I run Arch Linux in a container (within Fedora Silverblue), but my plan for the future: - consider switching away from Arch Linux for my dev container, with great sadness. A rolling distro is a terrible idea in the current security climate. I loved using Arch for my dev container exactly because of AUR. - switch to Fedora Stable, perhaps the previous release which still gets security fixes but no other updates. I am still on Fedora 43, I guess I have no rush to update to 44. - be even lazier in updating my workstation. I used to update daily when I was running Arch, then I moved to weekly last year when I got stuck with slow internet, now consider updating monthly or more (of course, unless there are critical security bugs) - Flatpak and Flathub terrify me, it's only a matter of time until malware appears. I have had automatic upgrades disabled for a while. - for the love of God don't touch anything that uses npm Previously: https://news.ycombinator.com/item?id=48458931
Retr0id
I haven't used Arch for a few years now, but when I did the AUR was my favourite aspect. It was never perfect from a security PoV, but in 2026 this kind of trust model feels increasingly scary.
QuantumNoodle
Man, I never hear good security things about npm
virajk_31
AUR doesn't guarantee security, its upto the user to use AUR & verify before installing anything, its very evident why arch is not used in enterprise solutions.
self_awareness
How a person 'adopts' 408 packages and controls their build scripts?
secret-noun
Here's a commit showing how they did it: https://aur.archlinux.org/cgit/aur.git/commit/?h=pass-cli&id... Internet archive URL: https://web.archive.org/web/20260611213640/https://aur.archl...
spystath
Obviously installing anything from AUR must be done cautiously and there have always been sketchy (as in improperly built/packaged) packages in the past but seeing actively malicious injections is concerning. I think there are two main problems with AUR: 1. it is a remnant of a slightly more egalitarian era in the open source history when you could generally trust 3rd party code and 2. orphaned packages can be adopted by anyone with their full history and vetting intact. I think we are well past (1) but (2) could be mitigated by tighter controls on AUR accounts and potentially additional safeguards from AUR helpers. Maybe show a big scary warning if the package has changed owners recently. I know there will still be people that will "y" their way forward but it's better than nothing. Or just avoid AUR helpers altogether and inspect/build the packages you need yourself from their PKGBUILDs directly.
xx_ns
This campaign is still ongoing. I just got an email that one of my old packages (which hasn't worked for years and was orphaned for a while) was adopted and immediately a malicious commit was pushed. They seem to be using bun instead of npm now, so any npm-based workaround likely isn't effective. https://aur.archlinux.org/cgit/aur.git/commit/?h=toggldeskto...
animitronix
Wow, this is effectively the end of the AUR model. There's been a malicious package or two before, but an attack this widespread shows things are fundamentally broken. Guess I'll be switching to a new OS this weekend across multiple machines.
williebeek
I remember installing an emulator (Mednafen) on Arch Linux about a decade ago. The program failed to run because it was linked against a library my system didn't have. Turns out, the maintainer built the software on his own system and it used a library he had on his system but was not listed in the dependencies. It is an officially maintained package and I always assumed these were built on a dedicated build server instead of some a random volunteer/home computer. Don't know if Arch still builds the same way but this event scared me enough to switch distros.
Artoooooor
Thanks for the link. It contains link to list of the affected packages, that will be useful.
bachmeier
So what's a solution to this? Install packages like this in Docker containers without network access? I don't think we should assume it's limited to AUR. Every software source should be considered suspect in 2026, particularly with the adoption of vibe coding, and closed software is a bigger mess than open source because it's a black box.
dtag00
Is there a way to verify if the malware is actually installed on a machine?
yaakushi
Not the first time this has happened recently. There were a few emails in the AUR list a few weeks ago about malicious packages, and a few reports on IRC too. The only difference in the campaign back then was the malicious npm package name (`linux-utils` in the campaign a few weeks ago).
harvie
7+ hours into this and still no mention on archlinux.org webpage nor on aur.archlinux.org. Why??? AUR should have been blocked until user takes action to prove he knows about this. Eg. change AUR API URL slightly so yay/yaourt users need to look up what is going on. New API should have infrastructure for informing users and making sure they've read the message before proceeding. Especially when they're not even sure that all malware was found. Also there should be database of revoked/compromised AUR commits and there should be mechanism to warn user if they had it installed.
hootz
There are some AUR hooks that can help. I use https://github.com/Sohimaster/traur which also has scans for orphan package takeover patterns.