Security
Arch Linux AUR supply-chain attack hits more than 1,500 packages
- Category: Security
- Status: confirmed
- Sources: Arch Linux news, Phoronix, PrivacyGuides, HN discussion
- Summary: Attackers hijacked orphaned packages in the Arch User Repository (AUR) by claiming them through the standard adoption process, then modified each package's
PKGBUILDbuild script to silently fetch and install malicious npm packages (reported asatomic-lockfileandjs-digest) during installation, delivering a Linux infostealer with credential-harvesting, anti-debugging, and data-exfiltration functionality plus an optional eBPF rootkit. The affected count grew from more than 400 packages on 2026-06-11 to more than 1,500 by 2026-06-12. Arch published an official incident notice on 2026-06-12 stating it was actively tracking down malicious commits, with AUR account creation, package updates, and package adoption disrupted during cleanup; by the end of 2026-06-12 maintainers believed they had removed all known malicious commits and consider the incident under control. The official Arch binary repositories are unaffected. - Why it matters: The AUR adopt-orphaned-package model let one actor push credential-stealing build scripts into a large share of community packages, and any AUR helper that runs
PKGBUILDscripts without review during this window could have executed the payload on developer machines. - Follow-up: Watch for confirmed credential theft in the wild, AUR adoption-policy changes, and the final affected-package count.