Over 400 Malicious packages found in Arch AUR
Hydrocarb0n
11 points
2 comments
June 12, 2026
Related Discussions
Found 5 related stories in 103.1ms across 10,324 title embeddings via pgvector HNSW
- Arch Linux's AUR Sees More Than 400 Packages Compromised with Malware spiros · 32 pts · June 12, 2026 · 86% similar
- There is a bunch of malware being spotted in the AUR Velocifyer · 13 pts · June 11, 2026 · 81% similar
- Over 900 Arch Linux Packages Infected with infostealers and rootkits fortran77 · 20 pts · June 12, 2026 · 76% similar
- AUR packages compromised with Infostealer and Rootkit keyle · 283 pts · June 12, 2026 · 63% similar
- Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised theanonymousone · 369 pts · May 19, 2026 · 49% similar
Discussion Highlights (2 comments)
Hydrocarb0n
Attackers (or a coordinated set of compromised accounts) targeted many orphaned AUR packages—those without active maintainers. They pushed commits that added lines like this to the PKGBUILD (or related build files):bash npm install atomic-lockfile ... (Exact variations exist, but that's the core pattern.) This affects ~408 packages according to reports. When users (or AUR helpers) build these packages with makepkg, it executes npm install, which downloads and runs the atomic-lockfile npm package. That package was published very recently and includes a preinstall script (a Rust binary at ./src/hooks/deps) that runs automatically during installation.
gnabgib
Discussion (205 points, 11 hours ago, 123 comments) https://news.ycombinator.com/item?id=48500447