358
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers
(cybersecuritynews.com)
1500+ now https://md.archlinux.org/s/SxbqukK6IA
this post was submitted on 12 Jun 2026
358 points (99.7% liked)
Technology
85355 readers
4628 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
Look how every motherfucker complains about arch and the aur but not that their distros blindly use it without contributing back and even suggest to blindly trust it. these same people now complain the aur is to complicated. Never go full retard guys
I think a lot of people are confusing what the AUR actually IS. It is NOT the official package repository used by Archlinux - it's more like a bunch of community install scripts for stuff that isn't officially supported yet - for popularity or other reasons.
So for all those people complaining and saying "debian does it better" it's very likely that you would not even HAVE a package to install and would have to come up with a build script on your own - the AUR allows you to skip this and instead just verify that the script itself isn't malicious, which is usually fairly obvious.
A lot of people here seem to be under the impression that all of this effort should be abstracted for them - but that's what you chose when you left windows - a system that you control intimately with a necessitation to actually do some upkeep yourself because a giant company isn't doing it for you.
In other words. RTFM and stop expecting other people fix all your problems for you, because that's exactly how windows got to how it currently is.
it’s more like a bunch of community install scripts for stuff that isn’t officially supported yet - for popularity or other reasons.
I'm looking at the list of affected packages and many of them are in official debian repos. Isn't the issue then that the official Arch repositories don't have many packages and people have to use less secure sources? That still sounds like an Arch issue to me.
Arch actually has a large amount of official packages. Maybe some of the packages you're referring to are just slightly renamed or alternate versions?
It's possible that in some areas it has fewer packages of course (e.g. Debian might repackage a larger subset of PyPI as Python packages), but I need the AUR for very few things.
A lot of people here seem to be under the impression that all of this effort should be abstracted for them
Wouldn't this just make it harder to detect?
I only ever access the AUR in an Arch distrobox... The containerization should protect me right?
Wow, I have 229 AUR packages installed but none of them is on the infected list!
Am I just lucky?
Check again, it's around 1500+ packages now.
I have 229 AUR packages installed
Holy shit lol...
So, I'm totally fine because I always manually install from the AUR? This is more of a problem for people using those AUR helpers that make a package manager out of it, right?
I don't think it matters how you installed infected AUR packages.
Not even having npm installed as a system package feels like a personal win right now. I'd like to think I would have caught this due to the number of dependencies it would introduce to my system. node_modules seems like it's been the source of most of the recent CVEs I'm hearing about.
Pnpm for the win
I develop inside docker for this reason too
Expecting user to inspect install scripts is retarded. And this is the result.
Then dont use arch and the aur easy as that
So what would the alternative be? If the resources or desire don't exist to make a package official, how else would you install it?
You're missing the point entirely. I'm talking about inspecting the scripts not about making packages
Sorry if I was unclear. You usually don't inspect the install scripts for official packages since you put the trust in the official team. You don't trust(or at least shouldn't) AUR packages, hence you should inspect the install script for those packages. I don't really see what the alternative would be.
Well, the alternative would be for moderation team to inspect them, with clear signaling of which scripts are trusted and which aren't.
But this is exactly what the top comment of Cease talks about: There is no moderation team. You seem to think that it is the job of the maintainers of the Arch Linux distribution is to vet and review the AUR packages. But they take care for the - much more widely used - Arch distro packages and are busy with this. They have enough to do. And the AUR packages are not part of the Arch distro.
The AUR is basically a server where users can store their own packages so that others can use it. As its name says: Arch User Repository.
There is no moderation team.
And that's why it's fundamentally shit idea on so many levels. Instead of having one person to inspect let's make every single user expert or not to inspect every package each individually. This is fucking retardation at its finest.
But who would do that? Do you have security expertise and are volunteering to do that?
Exactly. Let's also not forget it isn't just a matter of inspecting it once, it would be for EVERY update of the script. It would be a major bottleneck to get updates out for any package. There are comments on the AUR site where people can flag issues, so we do have some crowd sourcing, but I'd still not trust it.
The option is to not have it
Been saying for years that people need to stop treating the AUR like a repo, when it's more akin to curl installscript.sh | bash.
But it is a repo. It's just an unofficial one. I don't know how you use it without understanding this. It's not far from perfect, but it is useful.
the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably "trust" it (especially when it's listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.
So, better to use a safe language, and use
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh
- right??
(I copied that from https://rust-lang.org/tools/install/ just a second ago....)
Some packages pull files from personal dropbox...
I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.
I'm hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.
I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it's safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that's at least a positive.
The article has instructions to do exactly that.
Users who regularly install AUR packages should take the following steps immediately:
Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages
Audit recent PKGBUILD history for any packages installed between June 10–12, 2026
Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed
Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit
Consider using AUR helpers with PKGBUILD review prompts enabled by default.
Well, nothing to do but start at the first one and work our way down...
load more comments
(28 replies)
view more: next ›