• Category: Security
  • Status: confirmed
  • Sources: Arch Linux news, Phoronix, HN discussion
  • Summary: The Arch User Repository supply-chain attack, in which attackers adopted orphaned packages and modified each PKGBUILD to fetch malicious npm packages (reported as atomic-lockfile and js-digest) delivering a Linux infostealer plus an optional eBPF rootkit, grew to more than 1,500 affected packages by 2026-06-12 from more than 400 the prior day. Arch published an official incident notice and, by the end of 2026-06-12, maintainers believed all known malicious commits were removed and consider the incident under control; AUR account creation, package updates, and adoption were disrupted during cleanup. The official Arch binary repositories are unaffected.
  • Why it matters: The adopt-orphaned-package model let one actor push credential-stealing build scripts into a large share of community packages, so any AUR helper that ran PKGBUILD scripts without review during the window could have executed the payload.
  • Follow-up: Watch for confirmed credential theft in the wild, AUR adoption-policy changes, and the final affected-package count.

Send feedback on this story