Arch Linux has disabled new account registrations on the Arch User Repository (AUR) as they work to contain a malware campaign that swept through the community package repository last week.
The AUR is where Arch users look in for software that has not made it into the official repositories yet. It is community-run and unsupported, meaning packages are user-submitted with no safety guarantee from the Arch team.
Over 1,500 packages were hit in the first wave alone, and two more waves followed shortly after developers thought they had it cleaned up.
What happened?
On June 11, Arch developer Jonathan GrotelΓΌschen opened a dedicated thread on aur-general asking the community to report compromised packages. A formal news post from Campbell Jones followed the next day, acknowledging "a high volume of malicious package adoptions and updates" in the AUR.
Community member a821 traced the initial packages to a malicious npm package called js-digest, which was embedded in post-install scripts. Shortly after, koraynilay ran a broader search against GitHub's AUR mirror using js-digest as the marker and found around 850+ packages that were affected, noting the count was already dropping as devs removed them.
By the end of the day, Jonathan posted that they had deleted all known malicious commits, linking to a document that listed over 1,500 packages.
That was not the end of it. On June 13, a821 flagged a new batch using a different technique. This time, the word "bun" was split across string literals as 'b''u''n' to slip past detection.
Around 50 packages were caught in this wave, spanning browser packages, a cluster of nodejs-* entries, plasma6-applets-fancytasks, a NeoVim plugin, and LibreWolf extensions.
A day later, Nicolas Boichat spotted another batch, this one more heavily obfuscated. He caught it using a locally-run Gemma E2B model, with htbrowser-bin among the packages he flagged.
What can you do?
Fast-forward to now, Leonidas Spyropoulos of the Arch Linux team announced on June 15 that new AUR account registrations had been disabled as they are busy cleaning up the AUR.
Another thing to keep in mind is that the core Arch Linux repositories remain unaffected, with the malicious commits limited to the AUR.
If you suspect malicious packages might've made it onto your system or you just want to be cautious, then the Arch team suggests reviewing every PKGBUILD and install script change before updating, particularly right now.
And if anything suspicious does show up, they encourage users to flag it via the aur-general mailing list by replying to the AUR REPORT THREAD (also linked earlier).
