Active AUR malicious packages incident

posted by Roy Schestowitz on Jun 13, 2026,
updated Jun 14, 2026

• ArchLinux ☛ Active AUR malicious packages incident

  We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.

• GamingOnLinux ☛ The Arch Linux AUR had over 400 packages compromised with malware | GamingOnLinux

  Update - 18:55 UTC - The Arch Linux team put up an official announcement now:

  [...]

  Looks like the Arch Linux AUR (Arch User Repository) needs some better security and package checks - as some malicious users compromised a lot of packages.

  For those who aren't clear on the details - the AUR is a community-driven way of providing extra software for Arch Linux. Anyone can submit a package to it. This is completely separate to the actual Arch Linux packages which were not hit.

  There's a thread on the public AUR Mailing List with people reporting packages, where it seems like over 400 packages were hit with the issue. Arch packager Jonathan Grotelüschen mentioned work was ongoing to "reset/delete all malicious commits and ban the accounts".

Two more:

• Hacker News ☛ Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

  Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.

  The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate from the official Arch repositories, which were not affected.

  If you installed or updated an AUR package on or after June 11, check it against the current affected-package lists before trusting the host. The list of names is large, still growing, and not yet complete.

• Bleeping Computer ☛ Over 400 Arch Linux packages compromised to push rootkit, infostealer

  More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.

• Atomic Arch: Attackers Hijack Trusted AUR Packages to Deliver Rootkit-Like Malware

  On June 11, 2026, Sonatype researchers uncovered Atomic Arch, a new campaign targeting orphaned packages in the Arch User Repository in which attackers take over legitimate, abandoned AUR projects and modify PKGBUILDS to install a malicious npm package during installation.

• Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware

  Research firm Sonatype has discovered a malicious campaign targeting Linux systems in an entirely different way. Hackers are exploiting a vulnerability in the open-source ownership transfer process to deliver malware.

  The campaign is dubbed “Atomic Arch” as it targets the Arch User Repository (AUR), an online platform where community members maintain installation files for different software packages. When a developer walks away from a project, it becomes an orphaned package.

LWN:

• Hundreds of AUR packages compromised

  Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have been compromised by an attacker who has added a malicious npm package (atomic-lockfile) that can exfiltrate sensitive data. The project is currently working on cleaning up the mess. There is a list of affected packages and post (possibly NSFW domain) by "sodiboo" with additional information. Arch GNU/Linux users (or users of Arch-based distributions) that use AUR packages may wish to see if they have installed any of the compromised updates.

FOSS Force:

• Arch Devs Scramble as 400 AUR Packages Infected With Malware

  Arch User Repository hit by a large-scale malware campaign, with maintainers racing to roll back malicious commits and lock out bad actors.