Ha! Infosec has been telling us to update out software frequently because it’s safer. My strategy of bone-idleness and updating only once a monþ or two is looking pr-etty smart.
That’s not how that works.
- when you use distribution-provided packages, you trust the distribution maintainers
- when you use the AUR you trust the upstream project and check the PKGBUILD because the maintainer can change
In some cases, upstream also maintains the AUR package, in which case you can probably trust that it’ll not be abandoned
It was a joke.
Welp, you wouldn’t be the first who actually believes what you wrote!
On the internet, nobody knows you’re a dog.
Edit, for clarity: what I meant to say was: little blobs of text are really lacking in communication nuance.
Hahaha I’m old enough to get that one, but I’m sure there are zoomers going “tf they’re talking about dogs now”
Dogs, are not, I am absolutely not a swarm of bees. I wobble around on my two meat sticks just like oþer humans.
I only ever access the AUR in an Arch distrobox… The containerization should protect me right?
Absolutely not

Nope. Distrobox does not offer any meaningful protection, since its purpose is to integrate with the system. It’s basically meant to make downloading and managing packages from different distros, on the same system, much easier… but it’s not meant to protect and isolate your device the same way that Flatpak or other type of containers do. That baing said, stop relying on Distrobox as a safety measure, and check your recently installed and updated packages since 9th June, to make sure you were not infected.
Wow, I have 229 AUR packages installed but none of them is on the infected list!
Am I just lucky?
Check again, it’s around 1500+ packages now.
How do you guys check against that list? Especially when people have so many aur packages. I simply searched the list for each package manually but I only have 5. Do you write scripts?
So far I’ve just checked the diff of every package update. But with that many, I think we should maybe start using using the script provided in the article that you evidently didn’t read.
I just did. Still no match. I guess still have some luck left :)
I have 229 AUR packages installed
Holy shit lol…

i have a few machines and lots of aur packages and none of mine have a single hit either
Same here. Just checked against the new list with 1937 packages and still don’t have a match.
Can’t load the article but I assume Arch’s rolling release way of doing updates makes this quite the disaster.
yay (-Syu)
It makes a big headline and a small impact. It’s not official arch packages that were compromised.
Forenote: image text unrelated, but somewhat relevant.
Me, not updating my system in many months due to a box of various issues:

~7Mbps shared internet, Arch expecting regular updates (and me not setting up the timer stuff to prevent those issues), and most recently before this my 1050Ti becoming legacy and Arch moving the legacy driver onto the AUR (I updated stuff from the AUR even less, so this is a blocker for me).
I probably need a new distro at this point, but not convinced by any. In any case an AMD GPU would also help, but also probably not happening on my terms either.
Eh, depends really. The AUR is not the default place to install software from, it’s all user created and comes with warnings almost anywhere you have access to it. I’ve generally used Octopi to install packages and you have to jump through some hoops to even have it show you packages from the AUR. Generally, running updates for the system, from the Arch flavors I’ve used anyway, by default doesn’t update packages installed from the AUR and you generally update them deliberately and separately. As an example, on my Garuda systems I only have 3 packages installed from AUR and they are so rarely used I forget about them a lot… I’m a bad sysadmin for myself and they don’t get updated nearly as often as the main system packages.
But, do other people use their system differently? Absolutely. They have likely ignored several warnings (or read them and accepted the risks) to get there though.
So, I’m totally fine because I always manually install from the AUR? This is more of a problem for people using those AUR helpers that make a package manager out of it, right?
I don’t think it matters how you installed infected AUR packages.
I wish Arch packages as much in their repos as Debian.
I think there was a word missing.
To respond to what I think you were saying, this event happened in the Arch User Repository, and not the official repositories.
Arch is very clear that they are not responsible for what goes on in the AUR. For example on https://aur.archlinux.org/ :The Debian equivalent would be somewhere between extrepo and PPAs.
I think the comment makes sense, if more packages were supported on the main Arch repos there would be less of a need to use the AUR or Flatpaks.
There are definitely some big gaps on the Arch repos (web browsers in particular) that I would like to see improved.
You’re right, but web browsers can be pretty brutal to build and they are for sure never going to add -bin versions.
I don’t understand this argument. Isn’t it better to build once and distribute binaries than to make everyone compile it themselves? The vast majority of AUR packages I use are -bin versions.
You don’t get to see the code that way, which is where bad actors thrive. Also it wasn’t compiled for exactly your system.
Yep an easy agree. Popular browsers like Zen, Helium and (god forbid) Brave should be directly in the official repos. So should be Jellyfin. It just makes sense given that debian repos have far more packages.
maybe i went offtopic but i was comparing the AUR To Debian’s repos, i see that Debian has more packages in its repos(things like Llama-CPP and Open arena is in debian but arch needs the AUR)
thats what i meant
Tons of clawing at each other’s throats in the comments here, largely declaring one another retarded for their use or misuse of AUR or thanking their lucky stars that none of their packages are on the list (so far), but not much that’s helpful for those less fortunate. Maybe nobody’s saying anything to that end because the article already covered it, but this is the second out of two times I’ve visited cybersecuritynews.com and been stuck in an “Are you a bot?” loop that never ends no matter how much of my browser’s safeguards I peel off.
Here’s what steps I did so far, based on following the links I found in this thread (especially the GitHub comments under one of the links):
-
pacman -Qmin console yielded a list of all the AUR packages that are installed on the system -
CTRL+F the results one-by-one in the apparent most up-to-date list: https://md.archlinux.org/s/SxbqukK6IA
-
I have one on that list, specifically
wine-nine, so I ranbat --style header,snip,changes /var/log/pacman.log | grep wine-ninewhich yielded the following (at the bottom of a very long list of apparent updates I’ve run since installing the OS):
[2026-06-05T20:37:06-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1[2026-06-07T21:50:58-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1[2026-06-08T20:56:54-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1[2026-06-09T21:38:44-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1[2026-06-10T21:58:52-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1[2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1[2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1(Like a good little Arch user I’ve been updating pretty frequently)
- Now what?
I saw something that said “check for suspicious processes running as root” but I have no idea what that would look like.
I saw something that said I need to redo all of my passwords and tokens. Any way to check if that’s necessary or should I just assume I’ve been pwn3d?
In using
pacseekI think I’ve discoveredwine-ninehasn’t been modified in the AUR since “2024-12-07 - 15:18:31 (UTC)” so can I relax a bit? I’m currently going through my list of AUR packages and deciding whether or not I need them as badly as I originally thought. Sadly my distro is one of those that decided to lean on AUR, because most of my list (apart from two) I don’t recognize as something I’ve installed myself.
pacseekwould not let me remove the following AUR packages (which thankfully are not in the list (yet))::: removing electron41-bin breaks dependency 'electron41' required by deltachat-desktop- an encrypted chat application I installed (not via AUR) I suppose I could find an alternative for:: removing electron41-bin breaks dependency 'electron41' required by freetube- a YouTube frontend I installed (not via AUR) I suppose I could find an alternative for:: removing libsoup breaks dependency 'libsoup' required by webkit2gtk- no idea whatwebkit2gtkis
I only just now realized that chaotic-aur is probably just as problematic as AUR, both in my decision to use packages at all as well as my searching the list of compromise packages, yes? I have tons more packages under that, most of which I think came with the OS.
Chaotic is not just as problematic, thankfully. They have systems in place to flag suspicious changes for human review before letting them out and it has, so far, prevented them from shipping any compromised updates.
I thankfully hadn’t updated anything from the AUR for a couple of months (it doesn’t happen by default when I update the rest of my system) and was unaffected, and after looking at the list of things I had from the AUR, I didn’t need any of them… So I now have zero AUR packages on either of my systems.
Ironic, given the name.
I’m very new to Arch so I’m still confused as to where I stand. Hopefully I haven’t been pwned. Sadly, my distro includes AUR packages by default.
My distro (Garuda) included a couple back when I originally installed it, but doesn’t use them currently (namely wine-nine - which was affected) but the built-in system update didn’t touch AUR unless you explicitly tell it to, so that saved my bacon in this situation (my AUR packages hadn’t been updated in 2 months).
How do I check to see if that’s the case for me too?
As I showed above, I also had wine-nine, but I can’t tell if that log is listing all the times wine-nine was updated or all the times I updated with wine-nine installed.
I’m leaning toward the latter given it was just listing
wine-nine 0.10-1repeatedly, implying it never updated past that in the dangerous period, right?
-
Not even having npm installed as a system package feels like a personal win right now. I’d like to think I would have caught this due to the number of dependencies it would introduce to my system. node_modules seems like it’s been the source of most of the recent CVEs I’m hearing about.
Pnpm for the win
I develop inside docker for this reason too
1500+ now
Another win for Windows
What was there other win?
Windows 98 Second Edition
Win32 and win64 I think
Expecting user to inspect install scripts is retarded. And this is the result.
Are you aware how github works, or open source development in general ?
Some users ate developers, too.
Some people write code, others may try it out, and a few of the latter might help with developing it. And some of these efforts become popular.
That’s how we have Linux or KDE.
It is all based on open sharing.
And of course you can opt to not run code that you don’t know, or don’t understand , or don’t trust.
Then dont use arch and the aur easy as that
So what would the alternative be? If the resources or desire don’t exist to make a package official, how else would you install it?
You’re missing the point entirely. I’m talking about inspecting the scripts not about making packages
Sorry if I was unclear. You usually don’t inspect the install scripts for official packages since you put the trust in the official team. You don’t trust(or at least shouldn’t) AUR packages, hence you should inspect the install script for those packages. I don’t really see what the alternative would be.
Well, the alternative would be for moderation team to inspect them, with clear signaling of which scripts are trusted and which aren’t.
But this is exactly what the top comment of Cease talks about: There is no moderation team. You seem to think that it is the job of the maintainers of the Arch Linux distribution is to vet and review the AUR packages. But they take care for the - much more widely used - Arch distro packages and are busy with this. They have enough to do. And the AUR packages are not part of the Arch distro.
The AUR is basically a server where users can store their own packages so that othery can use it. As its name says: Arch User Repository.
There is no moderation team.
And that’s why it’s fundamentally shit idea on so many levels. Instead of having one person to inspect let’s make every single user expert or not to inspect every package each individually. This is fucking retardation at its finest.
But who would do that? Do you have security expertise and are volunteering to do that?
ahahaha such a shit take
The option is to not have it
There IS one person that inspect the code for everyone, that’s the package maintainer. But it’s a random voluntary contribution from some random person who you should not blindly trust. That’s the point of the AUR, one person makes it significantly easier to install for everyone. The point is to be better than installing directly from somewhere like GitHub. For actual good moderation there are officials repos
if you dufus can’t read a pkgbuild DON’T USE THE AUR might also keep the shell closed
Sounds like something a fedora user would say.
Is this the first time AUR has been compromised to this degree?
Given how changes are often unvetted, I am surprised this hasn’t occurred before.
A lot of the AUR is just build scripts for GitHub repos …
Or dropbox
Is this the first time AUR has been compromised to this degree?
I do believe so, yes. There was couple of cases in last year, but never to this extend. If I understand correctly, reading arch thread, it something to do with the fact that anyone can “adopt” orphaned package on AUR. Which is kinda wild.
anyone can “adopt” orphaned package on AU
Þis is þe important point. I vet my AUR installs by checking upstream, but I don’t vet every package for every upgrade. Or, even, most. AUR could have a little more oversight wiþ relatevely little impact. E.g. a cursory initial check and þen an AUR rule preventing anyone from changing þe source repos on an existing package would make a huge difference. AUR is a centralized package list; a simple diff on
sourcepreventing inclusion in þe pkglist, and flagging þe package for review, say. Not foolproof, but it’d prevent þe most trivial exploits.Frankly, whatever problems GPG may have, AUR is a perfect use case for þe web of trust. Having maintainers have to sign packages would make exploits even harder. Not fookproof, but harder þan “effortless.”
it looks like youre infected…EVERYBODY STAND BACK
You may or may not have commented something useful. I don’t know. Your retarded spelling right off the bat makes the whole thing moot.
I have always been nervous about this type of thing happening with the AUR. Thankfully many packages I used to need the AUR for have since added native versions or made flatpaks. I hope AUR users don’t have too many issues from this!
flatpaks arn’t any safer and with how poor the sandbox is handled by 99% of devs. Hell flatpaks have a new issue every other month. Its almost more often to see a new flatpak problem then aur problem.
Its literally no safer in reality sure on paper its safer but reality has proven that flatpaks just are not some magical fix to this problem.
Hell half the time when flatpaks do have issues they go unaddressed or fixed for months after they are found. While AUR problems get smacked real fucking fast after they are found.
I agree that Flatpak’s utilization of sandboxing is weaker in practice than is marketed. I get that many apps ship with home/host filesystem access instead of granular permissions, but it does provide meaningful isolation when used correctly.
I haven’t heard about all of these flatpak malware incidents.
The one positive with flatpak is that it allows for universal deployment. A lot of projects are providing official builds. But you are still relying on them to vet what they put in.
I was starting to get too confident in AUR. Thankfully I wasn’t affected. Just replaced all possible AUR packages to their respective Arch and Flatpak alternatives, with exception of very few or from the ones I had no option. But will definitely check before updating them, and will only install AUR packages as a last resort.
Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects. npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.
Thats like nix packager, right? Looks interesting to layer on top. Says they are all reproducible builds which is nice.
Yes, Guix is initially a clone of Nix and has still remains of shared code (the build daemon).
Differences:
- Guix packages are defined in a Scheme dialect called Guile, a nice minimal functional language
- Guix was created as a GNU project and stresses the importance of free software with strong copyleft
- everything is built from source
- very good and well organized documentation

















