AURpocalypse now: a look at the recent AUR attacks
jwilk
45 points
35 comments
June 19, 2026
Related Discussions
Found 5 related stories in 104.6ms across 10,996 title embeddings via pgvector HNSW
- Arch Linux AUR Hit by Another Wave of Now More Sophisticated Malware Attack ImJamal · 54 pts · June 14, 2026 · 69% similar
- There is a bunch of malware being spotted in the AUR Velocifyer · 13 pts · June 11, 2026 · 66% similar
- Arch Linux's AUR Sees More Than 400 Packages Compromised with Malware spiros · 32 pts · June 12, 2026 · 65% similar
- AUR packages compromised with Infostealer and Rootkit keyle · 283 pts · June 12, 2026 · 63% similar
- Over 400 Malicious packages found in Arch AUR Hydrocarb0n · 11 pts · June 12, 2026 · 62% similar
Discussion Highlights (8 comments)
rvz
Who still uses Arch btw after this?
AshamedCaptain
I'll note that OpenSuse also has Packman which a shitton of people enable (for codecs), has also 'one namespace only' an looser policies than the main distro. I do not think this something you can escape by switching distro.
nickjj
In case anyone missed it, the latest version of yay (v13+) supports being able to skip recently added packages through its new Lua extension system https://jguer.github.io/yay/lua.html#upgrade-selection-hooks . You can control the threshold since it's just user configuration now. A bunch of common yay commands also return back the last updated time of a package thanks to https://github.com/Jguer/yay/pull/2846 .
AquaWeasel
Despite that official Arch repos weren't affected in this attack, I would not recommend using Arch (or any rolling release distro) for anything that requires security. (Imagine if the xz backdoor targeted Arch...) An Arch maintainer that I personally know once admitted that he rarely review upstream changes when bumping package versions. He only does that when the build breaks. I can't blame him for what he did, since it's not reasonable to ask package maintainers to spend all their time on those stuff, especially in this "Age of AI" where more and more software are being aggressively refactored (or rather rewritten) and added more features. What we can do is choosing a stable distro (like Debian) where packages are more thoroughly reviewed, and apply security practices (such as TOTP, sandboxing browsers and video players, etc.) even though they cause inconvenience.
Ferret7446
Devil's advocate, except partially serious. This is a good thing, because the warning about checking everything you download from the AUR, which has always existed, is now actually "enforced". People respond to consequences.
cookiengineer
Note that the AUR attacks were part of the larger miasma worm campaign, gradually trying to gain more control through various package ecosystems since the RedHat prototype campaign. Mitigation Tool: https://github.com/cookiengineer/antimiasma Blog Post with details: https://cookie.engineer/weblog/articles/malware-insights-mia...
cozzyd
I love the smell of npm install malware in the morning.
MintPaw
A side note, isn't package maintenance something that can actually be solved to some extent by LLMs? The prompt would be something like "Clone this repo and build this package while building/bundling as few other packages as possible with minimal code changes." Then set it in a loop on all the packages for a particular system, I don't have experience in package maintenance and would be curious what kind of issues would come up.