• Category: Security
  • Status: developing
  • Sources: Arch Linux incident notice, Phoronix, HN discussion
  • Summary: One day after Arch maintainers considered the "Atomic Arch" AUR supply-chain incident (more than 1,500 packages affected) under control, a second wave of malicious AUR packages surfaced on 2026-06-13 to 2026-06-14, reported by an AUR developer (handle a821). This wave uses code obfuscation to conceal intent rather than the earlier plain PKGBUILD calls to fetch the atomic-lockfile and js-digest npm payloads, and spans Node.js packages, a Plasma 6 applets package, Firefox-related packages, the Aura browser, LibreWolf extensions, and a Neovim plugin. Maintainers are again removing malicious content and banning the involved accounts; official Arch binary repositories remain unaffected.
  • Why it matters: The follow-on wave shows the adopt-orphaned-package vector is still open and now harder to detect, so any AUR helper that runs PKGBUILD scripts without review during the window can still execute credential-stealing code.
  • Follow-up: Watch for a final affected-package count for the second wave, AUR adoption-policy changes, and confirmed credential theft in the wild.

Send feedback on this story