You might want to hold off on AUR updates until this is resolved, and check the pkgbuilds if you decide to update.
From Stored with zero-access encryptionCampbell Jones<serebit@archlinux.org>
10:42 AMFriday, June 12th, 2026 at 10:42 AM
To arch-dev-public at lists.archlinux.org
Friday, June 12th, 2026 at 10:42 AM
The draft follows: --- We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository. We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed. While this is happening, and while we work to create a more permanent solution, users may see issues with the following: - Creating new accounts on the AUR - Pushing package updates - Adopting or creating new packages We encourage active users of AUR packages to review *all* PKGBUILD changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information. --- Campbell
https://linuxiac.com/arch-linux-aur-malware-campaign-hits-multiple-user-contributed-packages/
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages
Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.
By Bobby Borisov
Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation.
The issue was first reported on the Arch Linux aur-general mailing list, where contributors are tracking affected packages in a dedicated thread. Cleanup efforts are ongoing, with malicious commits being removed and related accounts banned.
Importantly, this incident affects only the Arch User Repository, not the official Arch Linux package repositories.
In this case, suspicious changes to AUR packages added npm commands unrelated to the original software. Community reports indicate that malicious logic is triggered during installation, frequently involving npm packages such as atomic-lockfile.
One clear example is the alvr AUR package, where a suspicious update added npm-related behavior to software that does not typically use npm. Other reports emphasize similar changes in additional packages, and Arch contributors are asking users to report further malicious commits in the central thread.
With that said, Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
The Arch community is still evaluating the full scope of the incident, and the list of affected packages may change. Currently, multiple AUR packages have received malicious commits, contributors are removing them, and users are reminded to review AUR packages before installation.
For additional details, visit Arch’s AUR Report Thread.