Skip to main content
See every side of every news story
Get Started
SubscribeLogin
Published loading...Updated

Arch Linux Locks Down AUR Signups Amid Wave of Malicious Commits

The community-run repository is cleaning up more than 1,500 suspected compromised packages after malicious adoptions and updates, the team said.

  • On Monday, the Arch Linux team disabled new account registration within the Arch User Repository to facilitate cleanup following a campaign of malicious package adoptions and updates.
  • Attackers seized control of more than 1,500 packages by adopting "orphaned" projects, inheriting the trust built by previous maintainers; security firm Sonatype dubbed the campaign "Atomic Arch."
  • Edited scripts pulled in a malicious npm package that harvested browser cookies, session tokens, and credentials for GitHub, Slack, and Discord, then shipped the data over Tor.
  • Arch maintainers are currently banning malicious accounts and resetting commits while the team works on cleanup; users are advised to read build scripts before installation.
  • With roughly 13,000 orphaned packages remaining in the AUR, the attack surface remains enormous, highlighting structural risks in a community model that previously faced denial-of-service attacks and compromised packages containing a Remote Access Trojan.
Insights by Ground AI

11 Articles

TNWTNW
Lean Left

Arch Linux AUR hit by malware targeting developer secrets

One of the largest open-source package repositories just spent a weekend cleaning up after a malware campaign that did not break into anything. It did not need to. Attackers seized control of more than 1,500 packages in the Arch User Repository, or AUR, the community-run software collection that sits alongside Arch Linux’s official repositories, and […] This story continues at The Next Web

·Amsterdam, Netherlands (Kingdom of the)
Read Full Article
The RegisterThe Register
Reposted by
IT Security News - cybersecurity, infosecurity newsIT Security News - cybersecurity, infosecurity news
Center

Arch Linux locks down AUR signups amid wave of malicious commits

A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning while it cleans up the mess. The issue was first acknowledged on June 12, with a post stating: "We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository." The team warned that users might have issues opening new accounts, pushing package…

Read Full Article
It's FOSSIt's FOSS

After the AUR Malware Flood, Yay v13 Lets You Script Your Own Safety Net

The release adds Lua-based hooks alongside a simpler way to see how recently a PKGBUILD was last touched.

Read Full Article
phoronix.comphoronix.com

Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack

Just a day after Arch Linux developers believed they got their malware AUR incident under control with 1,500+ packages affected by malware, another round of of AUR malware is now being discovered

Read Full Article
LinuxiacLinuxiac

Arch Linux Blocks New AUR Registrations Amid Malware Cleanup

Arch Linux’s AUR is still operational, while new account registration appears blocked during ongoing cleanup work.

Read Full Article
Developpez.comDeveloppez.com

More than 1,900 Packages Provided by Users in the Arch Linux User Repository "AUR" Distribution Linux Open Source Arch Linux Have Been Infected with Malware

More than 1,900 packages provided by users in the Arch Linux User Repository "AUR" directory of the Linux open source Arch Linux distribution have been infected with malwareArch Linux's AUR is confronted with an incident of malware involving packages provided by users and containing malicious commits that are trying to download npm-based payloads during installation. It is important to note that this incident does not affect the ability of users…

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 50% of the sources lean Left, 50% of the sources are Center
50% Center

Factuality Info Icon

To view factuality data please Upgrade to Premium

Ownership

Info Icon

To view ownership data please Upgrade to Vantage

WebProNews broke the news on Monday, June 15, 2026.
Too Big Arrow Icon
Sources are mostly out of (0)

Similar News Topics

Technology icon

Technology

Cyberattacks icon

Cyberattacks

Cybersecurity icon

Cybersecurity

News
Feed Dots Icon
For You
Search Icon
SearchBlindspot LogoBlindspotLocal