{"id":17545,"date":"2026-06-12T10:09:42","date_gmt":"2026-06-12T17:09:42","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=17545"},"modified":"2026-06-12T10:09:42","modified_gmt":"2026-06-12T17:09:42","slug":"arch-linux-aur-malware-campaign-hits-multiple-user-contributed-packages","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/06\/12\/arch-linux-aur-malware-campaign-hits-multiple-user-contributed-packages\/","title":{"rendered":"Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages"},"content":{"rendered":"\n

You might want to hold off on AUR updates until this is resolved, and check the pkgbuilds if you decide to update.<\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n

From Stored with zero-access encryptionCampbell Jones<\/bdi><serebit@archlinux.org><\/p>\n\n\n\n

10:42 AMFriday, June 12th, 2026 at 10:42 AM<\/p>\n\n\n\n

To arch-dev-public at lists.archlinux.org<\/bdi><\/p>\n\n\n\n

Friday, June 12th, 2026 at 10:42 AM<\/p>\n\n\n\n

The draft follows:\n\n---\n\nWe are currently experiencing a high volume of malicious package\nadoptions and updates in the Arch User Repository.\nWe are actively working to track down existing malicious commits and\nattempting to prevent additional malicious commits from being pushed.\nWhile this is happening, and while we work to create a more permanent\nsolution, users may see issues with the following:\n\n- Creating new accounts on the AUR\n- Pushing package updates\n- Adopting or creating new packages\n\nWe encourage active users of AUR packages to review *all* PKGBUILD\nchanges when updating, especially during this time.\nIf you notice suspicious commits to a package that you use, please reach\nout to Arch staff via the aur-general mailing list with more information.\n\n---\n\nCampbell<\/pre>\n\n\n
<\/div><\/div><\/div>\n\n\n
https:\/\/linuxiac.com\/arch-linux-aur-malware-campaign-hits-multiple-user-contributed-packages\/<\/a><\/p>\n\n\n\n
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages<\/h3>\n\n\n\n
Arch contributors are cleaning up a malware incident in the AUR after suspicious updates appeared across several user-maintained packages.<\/p>\n\n\n\n
By Bobby Borisov<\/p>\n\n\n\n
\"Arch<\/figure>\n\n\n\n
Arch Linux\u2019s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation.<\/p>\n\n\n\n
The issue was first reported on the Arch Linux aur-general mailing list, where contributors are tracking affected packages in a dedicated thread. Cleanup efforts are ongoing, with malicious commits being removed and related accounts banned.<\/p>\n\n\n\n
Importantly, this incident affects only the Arch User Repository, not the official Arch Linux package repositories.<\/p>\n\n\n\n
In this case, suspicious changes to AUR packages added npm<\/code> commands unrelated to the original software. Community reports indicate that malicious logic is triggered during installation, frequently involving npm packages such as atomic-lockfile<\/code>.<\/p>\n\n\n\n
One clear example is the alvr<\/code> AUR package, where a suspicious update added npm-related behavior to software that does not typically use npm<\/code>. Other reports emphasize similar changes in additional packages, and Arch contributors are asking users to report further malicious commits in the central thread.<\/p>\n\n\n\n
With that said, Arch users should not update AUR packages without review. Examine PKGBUILD<\/code> diffs, check any new .install<\/code> files, and be cautious if updates introduce npm<\/code> commands or dependencies unrelated to the software.<\/p>\n\n\n\n
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.<\/p>\n\n\n\n
The Arch community is still evaluating the full scope of the incident, and the list of affected packages may change. Currently, multiple AUR packages have received malicious commits, contributors are removing them, and users are reminded to review AUR packages before installation.<\/p>\n\n\n\n
For additional details, visit Arch\u2019s AUR Report Thread<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
You might want to hold off on AUR updates until this is resolved, and check the pkgbuilds if you decide to update. From Stored with zero-access encryptionCampbell Jones<serebit@archlinux.org> 10:42 AMFriday, June 12th, 2026 at 10:42 AM To arch-dev-public at lists.archlinux.org Friday, June 12th, 2026 at 10:42 AM The draft follows: — We are currently experiencing […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17545","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17545"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17545\/revisions"}],"predecessor-version":[{"id":17546,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17545\/revisions\/17546"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}