Community repo freezes new accounts after attackers swamp it with poisoned package updates
A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning while it cleans up the mess.The issue was first acknowledged on June 12, with a post stating: "We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository." The team warned that users might have issues opening new accounts, pushing package updates, and adopting or creating fresh packages.
Around 400 user-submitted packages were believed compromised; that figure climbed past 1,500 over the weekend. On June 14, a more sophisticated wave of malicious packages was spotted. The Arch Linux team this morning disabled new account registration "while we are working on the cleanup."
The core Arch distribution itself is unaffected. The AUR is a community-run package repo – if something isn't in the official repo, it's probably here, assuming nobody's poisoned it. The AUR is user-submitted and unsupported, so users are expected to inspect package build files themselves before installation. The malicious packages attempted to pull in hostile JavaScript dependencies, including npm packages identified in the campaign.Arch Linux is a fast, lightweight Linux distribution. It isn't for beginners – users need to pick their own display manager and desktop environment as well as their own applications. However, this makes it highly customizable. The project's website says: "Currently we have official packages optimized for the x86-64 architecture. We complement our official package sets with a community-operated package repository that grows in size and quality each and every day." Unless, of course, miscreants go wild with malicious commits, and the team has to wade in to deal with the problem.According to the AUR, there are just over 107,000 packages, with 5,586 updated and 273 packages added in the past seven days.
