…guess this is also as good a time as any to audit my foreign packages and remove anything I really don’t need anymore. Also running maldet just because, might as well.
nothing installed itself overnight while I slept so I am real happy about that
ckaur
Checking for infected AUR packages (1937 total)...
Clean: None of the known infected packages were installed within 2 days of the campaigns.
If someone is also registered with cachy you may want to tell cscs to update the script to update the days since zero day been saying 2 days since I first ran this command.
Ok, how me check is it playinlinux AUR package is safe? ALso how install deb packages in Arch?
Nowadays I’m updating mostly when installing new packages.
Fundamentally the ‘AUR’ issue is a who do you trust/blame issue. Make of that what you will considering corporations and having someone to blame.
Most supply chains aren’t going to be any better (imo).
At this stage it’s a bit surprising they don’t completely shutdown AUR until they can better verify the security and safety of this user-supplied repository or at least implement new safeguards on changes.
Idk if needed but at this point, and since the number of infected packages is rising, maybe this thread could be pinned or put as important notification? Don’t know, I would do it though 
i am just now adding a post about.. and will pin it.
Nice
Phoronix with the hot take on moderating user generated content is like … rain your wedding day.
It really is strange why doesn’t the Arch team just dismiss all AUR submits for the next few days simply to figure out what the hell is going on.
This is really worrying to me. I wanted to come back to Linux pretty soon and I wanted to use Arch because it has the AUR. Now I am thinking about going to another distro entirely due to these on-going attacks.
Everybody knows what’s going on. It hits ca. 2% of the AUR packages, and those are mostly orphaned and therefore receive a fraction of the AUR traffic. What do a few days change and why should 99,98% of legitimate AUR traffic being punished.
As long as the maintainers can keep up every user can decide for itself if they want to use the AUR in the coming days. Shut it down for yourself.
I think we all knew it was just a matter of time before Brodie said something about the AUR mess…
Give me this number:
[sermor@archlinux ~]$ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (1937 total)...
Clean: None of the known infected packages were installed within 2 days of the campaigns.
As for the AUR, well, there are several things that aren’t in the official repositories, and are put there and installed via scripts, like printer drivers, Wi-Fi routers, and so on. These are usually managed not by the original manufacturers, but by third-party maintainers, as I think is the case with most of what’s on the AUR. For example, Epson, like other manufacturers, release deb, rpm, and sometimes binary packages for their drivers, and then others “upload” them elsewhere, in this case, to the AUR.
For various other useful software, the situation is more or less the same (for example, web browsers like Brave, although in the case of Brave that package is managed directly by them), even for software that is generally available on other distros, like Hypnotix or Suse Studio Imagewriter.
In short, either you find a different solution, otherwise you either give up on that software or simply move to other distros.
Because, rather than having Arch, you could just get Debian or a Debian-based distribution, download the necessary deb package, and install it, usually with one click, without even going through the terminal. The end.
Perhaps migrating the vast majority of useful software isn’t possible; it would be a monumental task. I can’t say what the best solution would be, other than using another distro directly and getting rid of the problem. But that would be avoiding the problem, not solving it.
Now that I know that I’m safe on my machine from the AUR issue, I’m updating via sudo pacman -Syu until we get some official announcement that the AUR is back to normal.
─❯ sudo pacman -Syu
[sudo] password for wombat:
:: Synchronizing package databases...
endeavouros 14.6 KiB 26.8 KiB/s 00:01 [--------------------------------------------] 100%
core is up to date
extra 8.2 MiB 4.71 MiB/s 00:02 [--------------------------------------------] 100%
multilib is up to date
cidercollective is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Package (90) Old Version New Version Net Change Download Size
extra/abseil-cpp 20260107.1-1 20260526.0-2 0.35 MiB 1.33 MiB
extra/gumbo-parser 0.13.2-1 0.37 MiB 0.12 MiB
extra/libvlc 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.69 MiB
extra/litehtml0.9 0.9-2 0.87 MiB 0.28 MiB
extra/opencv 4.13.0-9 4.13.0-10 0.00 MiB 30.10 MiB
extra/protobuf 35.0-1 35.0-2 0.09 MiB 3.95 MiB
extra/protobuf-c 1.5.2-10 1.5.2-11 0.00 MiB 0.14 MiB
extra/python-protobuf 35.0-1 35.0-2 0.00 MiB 0.47 MiB
extra/qt6-tools 6.11.1-1 6.11.1-3 0.00 MiB 6.59 MiB
extra/re2 2:2025.11.05-4 2:2025.11.05-5 0.00 MiB 0.23 MiB
extra/vlc 3.0.23_2-6 3.0.23_2-7 0.00 MiB 6.42 MiB
extra/vlc-cli 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-gui-qt 3.0.23_2-6 3.0.23_2-7 0.00 MiB 1.05 MiB
extra/vlc-plugin-a52dec 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-aalib 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-alsa 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-aom 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-archive 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-aribb24 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-aribb25 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-ass 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-avahi 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-bluray 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.04 MiB
extra/vlc-plugin-caca 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-cddb 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.03 MiB
extra/vlc-plugin-chromecast 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.07 MiB
extra/vlc-plugin-dav1d 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-dbus 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.04 MiB
extra/vlc-plugin-dbus-screensaver 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-dca 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-dvb 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.19 MiB
extra/vlc-plugin-dvd 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.04 MiB
extra/vlc-plugin-faad2 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-ffmpeg 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.08 MiB
extra/vlc-plugin-firewire 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-flac 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-fluidsynth 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-freetype 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.04 MiB
extra/vlc-plugin-gme 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-gnutls 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-gstreamer 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-inflate 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-jack 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-journal 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-jpeg 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-kate 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-libsecret 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-lirc 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-live555 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.03 MiB
extra/vlc-plugin-lua 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.32 MiB
extra/vlc-plugin-mad 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-matroska 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.20 MiB
extra/vlc-plugin-mdns 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-modplug 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-mpeg2 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-mpg123 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-mtp 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-musepack 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-nfs 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-notify 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-ogg 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.06 MiB
extra/vlc-plugin-opus 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-png 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-pulse 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-samplerate 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-sdl 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-sftp 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-shout 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-smb 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-soxr 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-speex 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-srt 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-svg 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-tag 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.04 MiB
extra/vlc-plugin-theora 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-twolame 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-udev 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-upnp 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.03 MiB
extra/vlc-plugin-vorbis 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-vpx 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-x264 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugin-x265 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-xml 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.01 MiB
extra/vlc-plugin-zvbi 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.05 MiB
extra/vlc-plugins-all 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.00 MiB
extra/vlc-plugins-base 3.0.23_2-6 3.0.23_2-7 0.00 MiB 2.04 MiB
extra/vlc-plugins-extra 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.02 MiB
extra/vlc-plugins-video-output 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.16 MiB
extra/vlc-plugins-visualization 3.0.23_2-6 3.0.23_2-7 0.00 MiB 0.04 MiB
endeavouros/welcome 26.6-1 26.6.1-1 0.00 MiB 0.04 MiB
Total Download Size: 55.62 MiB
Total Installed Size: 219.75 MiB
Net Upgrade Size: 1.68 MiB
:: Proceed with installation? [Y/n]
Official packages are not immune to malware, remember the xz incident. OK, it’s a much higher barrier to entry, but it’s been done once. That we know of!
The AUR is like a community recipe book. The beauty of Arch, is we are free to grab a recipe, and adjust it to our needs, or simply make it our own. That’s hugely empowering.
The option that remains available to all of us, is looking after those non-official packages ourselves. As mentioned in another thread, there are also AUR packages managed by official maintainers, so we can be somewhat discerning.
“That one’s ok, but this one I’ll manage myself”.
Well, yeah. Everything is prone to malware. But sudo pacman -Syu is not a concern at the moment. Until proven otherwise, I deem endeavouros, core, extra, and multilib as safe.
My personal learning:
- stick to official repos wherever possible.
- replace AUR packages with flatpaks*
- add “pacman -Qm” to .bashrc beside fastfetch, to ensure to stay informed about installed packages and get reminded or noticed when pkgs are dropped to the AUR from the official repos, whenever I start a terminal.
that said, I can’t get rid of the following, for reasons:
pacman -Qm
snapd 2.75.2-1
snapper-support 1.1.2-3
I know that won’t be the ultimate solution, but that’s what I can do and consider.
*at least they run in a sandbox and don’t need superuser rights for installation.