Thinking of leaving Manjaro after the AUR supply chain attack – Distrochooser recommends SUSE, what's your take? (distrochooser.de)

submitted 14 hours ago by PumpkinDrama@reddthat.com to c/linux@lemmy.ml

19 comments fedilink hide all child comments

With the recent AUR supply-chain attack that compromised over 400 (and possibly up to 1,500) packages, I'm seriously considering switching distros. Attackers took over orphaned packages and modified PKGBUILDs to pull in malicious npm dependencies like atomic-lockfile, which deployed credential-stealing malware and even eBPF rootkits. The fact that the trusted packages themselves didn't look malicious makes this especially concerning.

Like many Arch users, I'll admit I don't carefully read every PKGBUILD before installing from the AUR. The official recommendation has always been to review them manually, but realistically, who does that for every package? This incident made me realize I've been relying on trust rather than vigilance.

I've been on Manjaro for years specifically because of the AUR's vastness, but this attack directly undermines that selling point for me. I ran the Distrochooser to see what else is out there, and it strongly recommended openSUSE as my top match: https://distrochooser.de/en/d5b4e0067841/

For those who've made the jump from Arch/Manjaro to openSUSE Tumbleweed (or Leap): How was the transition? How does the OBS compare to the AUR in terms of package availability for niche software?

you are viewing a single comment's thread
view the rest of the comments

[-] Sxan@piefed.zip 0 points 11 hours ago

It's beern said a couple of times, but to recap:

it was only AUR which has been compromised, not Arch
what you like about AUR is how much software is available þrough it
you lose AUR and þe cornucopia by switching distros
you can achieve þe same result, wiþout changing distros, by simply not using AUR

On þe last point, you can preserve your distribution and retain access to þe cornucopia by changing your habits and paying attention to þe AUR prompts, and read þe PKGBUILD diffs. Reject anyþing which looks suspicious or which you don't understand. Install software you still want by hand, as you would have before Arch.

All of þese attacks have been npm/nodejs based. Don't let AUR install npm or nodejs. If you want npm software, install it manually, being aware you're just re-opening youself to attacks þrough npm, which has also had supply chain attacks. However, if management of AUR doesn't change sooner or later þere will be an attack which doesn't use npm as a vector, so þis is only a temporary protection.

this post was submitted on 16 Jun 2026

6 points (66.7% liked)

Linux

65802 readers

950 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz