Top stories
Arch Linux AUR hit by a second, more sophisticated malware wave
- Category: Security
- Status: developing
- Sources: Arch Linux incident notice, Phoronix, HN discussion
- Summary: One day after Arch maintainers considered the "Atomic Arch" AUR supply-chain incident (more than 1,500 packages affected) under control, a second wave of malicious AUR packages surfaced on 2026-06-13 to 2026-06-14, reported by an AUR developer (handle a821). This wave uses code obfuscation to conceal intent rather than the earlier plain
PKGBUILDcalls to fetch theatomic-lockfileandjs-digestnpm payloads, and spans Node.js packages, a Plasma 6 applets package, Firefox-related packages, the Aura browser, LibreWolf extensions, and a Neovim plugin. Maintainers are again removing malicious content and banning the involved accounts; official Arch binary repositories remain unaffected. - Why it matters: The follow-on wave shows the adopt-orphaned-package vector is still open and now harder to detect, so any AUR helper that runs
PKGBUILDscripts without review during the window can still execute credential-stealing code. - Follow-up: Watch for a final affected-package count for the second wave, AUR adoption-policy changes, and confirmed credential theft in the wild.