Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages
https://linuxiac.com/arch-linux-aur-malware-campaign-hits-multiple-user-contributed-packages/
Publish Date: 2026-06-11 17:32:00
Source Domain: linuxiac.com
Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation.
The issue was first reported on the Arch Linux aur-general mailing list, where contributors are tracking affected packages in a dedicated thread. Cleanup efforts are ongoing, with malicious commits being removed and related accounts banned.
Importantly, this incident affects only the Arch User Repository, not the official Arch Linux package repositories.
In this case, suspicious changes to AUR packages added npm commands unrelated to the original software. Community reports indicate that malicious logic is triggered during installation, frequently involving npm packages such as atomic-lockfile.
One clear example is the alvr AUR package, where a suspicious update added npm-related behavior to software that does not typically use npm. Other reports emphasize similar changes in additional packages, and Arch contributors are asking users to report further malicious commits in the central thread.
With that said, Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
The Arch community is still evaluating the full scope of the incident, and the list of affected packages may change. Currently, multiple AUR packages have received malicious commits, contributors are removing them, and users are reminded to review AUR packages before installation.
For additional details, visit Arch’s AUR Report Thread.
