Skip to main content
TechnologyJun 16, 2026· 2 min read

Arch Linux: Over 1,900 AUR Packages Infected with Malware in Just a Few Days

The Arch User Repository (AUR) has suffered a large-scale attack in recent hours: malicious actors have injected harmful code into the installation scripts of hundreds of packages, with the number of compromised packages exceeding 1,900 in just a few days. The Arch Linux team has initiated containment operations by removing the involved packages and suspending the registration of new accounts on the platform.

For those unfamiliar with the system's structure, the AUR is not part of the official Arch Linux repositories. It is a collection of build scripts (the so-called PKGBUILD) maintained by the community, allowing users to compile and install software not available in the official channels. The native package manager pacman does not access the AUR directly; it requires either manual compilation of software or reliance on a dedicated AUR helper. Therefore, users who stick to the official repositories are not exposed.

How the Attack Works and Who is at Risk

The vector chosen by the attackers is npm: the malicious installation scripts included npm as a dependency and added a compromised npm package to the build process. The harmful code was executed automatically during the npm install command, without the user noticing anything.

Preliminary analyses, detailed in the report published on ioctl.fail, show that the malware aims to collect data from browser profiles. Targeted browsers include those based on Chromium, such as Brave, Vivaldi, Opera, Microsoft Edge, and Google Chrome, as well as applications based on Electron like Microsoft Teams, Discord, and Slack. The malware also attempts to access the credentials of GitHub, npm, and ChatGPT accounts.

As the attack progressed, the malicious scripts became more sophisticated, adopting obfuscation techniques to mask code execution. Among the compromised packages in the latest wave are extensions for Firefox and LibreWolf, various Node.js packages, and plugins for Plasma 5 and Plasma 6.

The risk is especially concrete for those using Arch-based distributions that simplify access to the AUR through graphical installers, such as CachyOS and Manjaro: in these environments, installing AUR packages occurs with just a few clicks, lowering users' attention thresholds. CachyOS has already made a dedicated script available to scan the system and identify the affected packages.

As an immediate countermeasure, the Arch Linux team has disabled the registration of new AUR accounts to contain the influx of malicious packages. Updates to the PKGBUILD are currently reserved for already registered users. Team member Jonathan Grotelüschen stated on the project mailing list that he believes all known harmful commits have been removed, specifying that the verification work continues. The team's recommendation remains unchanged: always manually inspect AUR scripts before running them, never taking for granted the content of what is downloaded.

Apple Watch SE 3 at €219 and Series 11 at €329 at all-time lows: which one is really worth it among price, sensors, and functionsBeatbot Brings Smart Maintenance to Pools: Less Manual Labor, More Automation, and Complete Cleanliness