I only ever access the AUR in an Arch distrobox… The containerization should protect me right?
Wow, I have 229 AUR packages installed but none of them is on the infected list!
Am I just lucky?
I have 229 AUR packages installed
Holy shit lol…
So, I’m totally fine because I always manually install from the AUR? This is more of a problem for people using those AUR helpers that make a package manager out of it, right?
I don’t think it matters how you installed infected AUR packages.
I think a lot of people are confusing what the AUR actually IS. It is NOT the official package repository used by Archlinux - it’s more like a bunch of community install scripts for stuff that isn’t officially supported yet - for popularity or other reasons.
So for all those people complaining and saying “debian does it better” it’s very likely that you would not even HAVE a package to install and would have to come up with a build script on your own - the AUR allows you to skip this and instead just verify that the script itself isn’t malicious, which is usually fairly obvious.
A lot of people here seem to be under the impression that all of this effort should be abstracted for them - but that’s what you chose when you left windows - a system that you control intimately with a necessitation to actually do some upkeep yourself because a giant company isn’t doing it for you.
In other words. RTFM and stop expecting other people fix all your problems for you, because that’s exactly how windows got to how it currently is.
A lot of people here seem to be under the impression that all of this effort should be abstracted for them
Wouldn’t this just make it harder to detect?
Not even having npm installed as a system package feels like a personal win right now. I’d like to think I would have caught this due to the number of dependencies it would introduce to my system. node_modules seems like it’s been the source of most of the recent CVEs I’m hearing about.
Pnpm for the win
I develop inside docker for this reason too
Expecting user to inspect install scripts is retarded. And this is the result.
So what would the alternative be? If the resources or desire don’t exist to make a package official, how else would you install it?
You’re missing the point entirely. I’m talking about inspecting the scripts not about making packages
Sorry if I was unclear. You usually don’t inspect the install scripts for official packages since you put the trust in the official team. You don’t trust(or at least shouldn’t) AUR packages, hence you should inspect the install script for those packages. I don’t really see what the alternative would be.
Well, the alternative would be for moderation team to inspect them, with clear signaling of which scripts are trusted and which aren’t.
But this is exactly what the top comment of Cease talks about: There is no moderation team. You seem to think that it is the job of the maintainers of the Arch Linux distribution is to vet and review the AUR packages. But they take care for the - much more widely used - Arch distro packages and are busy with this. They have enough to do. And the AUR packages are not part of the Arch distro.
The AUR is basically a server where users can store their own packages so that others can use it. As its name says: Arch User Repository.
There is no moderation team.
And that’s why it’s fundamentally shit idea on so many levels. Instead of having one person to inspect let’s make every single user expert or not to inspect every package each individually. This is fucking retardation at its finest.
The option is to not have it
But who would do that? Do you have security expertise and are volunteering to do that?
Been saying for years that people need to stop treating the AUR like a repo, when it’s more akin to
curl installscript.sh | bash.But it is a repo. It’s just an unofficial one. I don’t know how you use it without understanding this. It’s not far from perfect, but it is useful.
the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably “trust” it (especially when it’s listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.
So, better to use a safe language, and use
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh- right??
(I copied that from https://rust-lang.org/tools/install/ just a second ago…)
Some packages pull files from personal dropbox…
Another win for Windows
What was there other win?
I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.
I’m hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.
I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it’s safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that’s at least a positive.
The article has instructions to do exactly that.
Users who regularly install AUR packages should take the following steps immediately:
Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages
Audit recent PKGBUILD history for any packages installed between June 10–12, 2026
Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed
Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit
Consider using AUR helpers with PKGBUILD review prompts enabled by default.
Well, nothing to do but start at the first one and work our way down…
Ok, but I was expecting something a bit more automated then opening a list of package in kate and comparing it to my list of installed AUR package… Plus it’s 400 package so that’s a lot of things to check and plenty of space to miss one package by manually checking.
But I get it I’m lazy and just need to script something myself. This is affecting so many people I thought we would have a script to check quickly if you are “infected”.
It’s at the bottom of the doc:
echo "Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)..." echo found=() for pkg in "${INFECTED_PKGS[@]}"; do if pacman -Qi "$pkg" &>/dev/null; then found+=("$pkg") fi done if [[ ${#found[@]} -eq 0 ]]; then echo "Clean: none of the known infected packages are installed." else echo "WARNING: ${#found[@]} infected package(s) found:" for pkg in "${found[@]}"; do echo " - $pkg" done fiNot sure why it uses -Qi instead of -Qm since there’s no point in scanning pacman packages, but I’m no expert
It took Arch ~19 years just to get
archinstall.Something tells me there won’t be a script.
The link is a script
Arch had curses based installator for a long time, it became unmaintained.
A lot of those 19 years were times where only nerds used arch.
You could probably find it on aur lmao
CachyOS community seems to have a detection script, I have not vetted this run at your own discretion.
https://discuss.cachyos.org/t/aur-compromised-400-packages-affected-20260611/31040
Here’s a script:
https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992
how many aur packages do you have? Most people i know have like AT MOST 20 or so packages from the aur. Which takes less then 2 mins to manually check against the list.
I have much more than 20 packages in aur, most of them are dependencies from steam-native-runtime. Since steam is popular, I can understand that many have more than 20 packages.
Now when I was reading the ArchWiki I saw that it is mentioned as an alternative, so I assume I can remove steam-native-runtime and all dependencies. Perhaps the instructions have been updated or I googled for instructions and found another page. But there could be other popular packages with many dependencies.
I’m not home for a few days so I can’t check yet.
But I think I have something like 3/4 packages at the most.
But I need to compare that to a 400+ list I’m not sure I agree with you it’s that easy to do rigorously.
Not sure I understand - if you only have 3-4 packages you can just search for them specifically in the long list?
Even if you have 50 or 100s of packages, bash makes it pretty doable
comm -12 <(sort -u file1.txt) <(sort -u file2.txt) > common.txtShould spit out only the packages appearing in both lists (done by memory so may not be 100%)
Do you have anything that will wipe their butt too?
I haven’t used kate but does it not have some sort of easy search?
ex. pacman -Qm to list AUR packages; should display the 3/4 pkgs you have installed. Then just search in kate for those 3/4 results?
Alternatively cat & grep in the terminal is pretty straight forward.
That is if it’s 3/4 pkgs that are from AUR, but if someone has hundreds installed that is a bigger issue on its own.
Damn how long is the list when you
pacman -QmAm I missing something ?
Just because I have 3/4 package on my system doesn’t mean the 400+ list of affected package gets shorter on the other side…
I’m actually pretty cautious with AUR and I only install them when there is no other options.
Especially for a small list, 3-4, that you actually need to check, what’s the actual issue? Open list of 400, ctrl+f for the few names you care about, move on.
I was just curious because I didnt think it was so tediuous to check against an alphabetical list on a website using ctrl+f. But thats just me. It took me less than a minute to check my 8 aur packages against the list
Holy shit it’s like all of Python.
Yeah, Python has been a massive vulnerability for a long while. And the AUR has similar issues. This is only getting widespread coverage now. But it’s always been a risk.
Yes, we need a kind of Debian for Python.
Part of the solution could be the Guix package manager. Part could be the commercial offerings, like Anaconda.
Well, those are mostly extension libraries, stuff “normally” installed using pip. Arch is kind of unique that they encourage using system aur over pip, npm and other package managers. While it is a big radius, none of the python packages stick out to me, but maybe I just haven’t encountered the popular ones.
It isn’t really all that unique? Debian does it, el does it, probably almost any popular distro?
I suppose it’s become more common since PEP 668 was introduced, less unique these days.
The attackers specifically targeted orphaned projects on AUR so it’s no wonder most of those aren’t familiar to us.
Welp if nothing else at least this has helped me to replace jack1 with jack2 (out of my 4 total Aur packages)
I have always been nervous about this type of thing happening with the AUR. Thankfully many packages I used to need the AUR for have since added native versions or made flatpaks. I hope AUR users don’t have too many issues from this!
flatpaks arn’t any safer and with how poor the sandbox is handled by 99% of devs. Hell flatpaks have a new issue every other month. Its almost more often to see a new flatpak problem then aur problem.
Its literally no safer in reality sure on paper its safer but reality has proven that flatpaks just are not some magical fix to this problem.
Hell half the time when flatpaks do have issues they go unaddressed or fixed for months after they are found. While AUR problems get smacked real fucking fast after they are found.
I haven’t heard about all of these flatpak malware incidents.
The one positive with flatpak is that it allows for universal deployment. A lot of projects are providing official builds. But you are still relying on them to vet what they put in.
Is this the first time AUR has been compromised to this degree?
Given how changes are often unvetted, I am surprised this hasn’t occurred before.
Is this the first time AUR has been compromised to this degree?
I do believe so, yes. There was couple of cases in last year, but never to this extend. If I understand correctly, reading arch thread, it something to do with the fact that anyone can “adopt” orphaned package on AUR. Which is kinda wild.
anyone can “adopt” orphaned package on AU
Þis is þe important point. I vet my AUR installs by checking upstream, but I don’t vet every package for every upgrade. Or, even, most. AUR could have a little more oversight wiþ relatevely little impact. E.g. a cursory initial check and þen an AUR rule preventing anyone from changing þe source repos on an existing package would make a huge difference. AUR is a centralized package list; a simple diff on
sourcepreventing inclusion in þe pkglist, and flagging þe package for review, say. Not foolproof, but it’d prevent þe most trivial exploits.Frankly, whatever problems GPG may have, AUR is a perfect use case for þe web of trust. Having maintainers have to sign packages would make exploits even harder. Not fookproof, but harder þan “effortless.”
You may or may not have commented something useful. I don’t know. Your retarded spelling right off the bat makes the whole thing moot.
A lot of the AUR is just build scripts for GitHub repos …
Or dropbox
Ha! Infosec has been telling us to update out software frequently because it’s safer. My strategy of bone-idleness and updating only once a monþ or two is looking pr-etty smart.
I wish Arch packages as much in their repos as Debian.
I think there was a word missing.
To respond to what I think you were saying, this event happened in the Arch User Repository, and not the official repositories.
Arch is very clear that they are not responsible for what goes on in the AUR. For example on https://aur.archlinux.org/ :The Debian equivalent would be somewhere between extrepo and PPAs.
I think the comment makes sense, if more packages were supported on the main Arch repos there would be less of a need to use the AUR or Flatpaks.
There are definitely some big gaps on the Arch repos (web browsers in particular) that I would like to see improved.
Yep an easy agree. Popular browsers like Zen, Helium and (god forbid) Brave should be directly in the official repos. So should be Jellyfin. It just makes sense given that debian repos have far more packages.
You’re right, but web browsers can be pretty brutal to build and they are for sure never going to add -bin versions.
I don’t understand this argument. Isn’t it better to build once and distribute binaries than to make everyone compile it themselves? The vast majority of AUR packages I use are -bin versions.
You don’t get to see the code that way, which is where bad actors thrive. Also it wasn’t compiled for exactly your system.
maybe i went offtopic but i was comparing the AUR To Debian’s repos, i see that Debian has more packages in its repos(things like Llama-CPP and Open arena is in debian but arch needs the AUR)
thats what i meant
