Forgot your password?
typodupeerror
Security Linux

Arch Linux Malware Incident: Malicious Commits Found in 1,579 Packages (phoronix.com) 43

More than 1,500 user-contributed packages in the Arch Linux User Repository "AUR" were infected with malware, reports Phoronix: The last message in the thread over this security incident is noting that Arch Linux developers have deleted all the malicious commits they are aware of. Cited was this list that puts the number of malware-affected packages at 1,579...

Even at 1,579 packages listed, that final updated noted, it's a "list containing many (but not all) of the affected packages".

Thanks to long-time Slashdot reader couchslug for sharing the report.
This discussion has been archived. No new comments can be posted.

Arch Linux Malware Incident: Malicious Commits Found in 1,579 Packages

Comments Filter:
  • No reactions yet? My main question is which AI was used for so many attacks in such a short time.

    Think of all the criminal hackers who lost their jobs!

    (But I'm not actually curious enough to research which AI was used. I'd have to ask an AI, and I'm sure it would just say "It wasn't me!")

    • by ffkom ( 3519199 )

      No reactions yet? My main question is which AI was used for so many attacks in such a short time.

      This "attack" does not require technical competence or "AI" for automation. Allowing volunteers to take ownership of existing "AUR" packages may have had good intentions, but it was also an invitation for the scum to abuse this mechanism to spread malware to less cautious AUR users. There is a reason why the official Arch packages are not as easily handed to the first one to offer maintenance.

  • AUR (Score:4, Interesting)

    by julian67 ( 1022593 ) on Saturday June 13, 2026 @03:02PM (#66190490)

    AUR has been a rest home for abandoned and insecure packages for years. A lot of years. It makes Ubuntu's Universe and PPAs look like Fort Knox. Of course whenever anyone makes any less than positive comment about Arch the fanboys descend as a self-righteous, angry, stupid mob so stuff like this goes mostly undiscussed until the shit has hit the fan and been liberally distributed.

    • I have literally never seen anyone who uses Arch make any claims whatsoever about the AUR being a safe or secure place to get packages. It's a standard disclaimer to install packages from there at your own risk. Which is fine: Arch is not at all designed to be newbie friendly to begin with, so having an extended package universe that is "install at your own risk" is fine: you should use Arch iff you're very well aware of the risks of something like the AUR.
      • by AmiMoJo ( 196126 )

        Come on, one of the big draws of Linux is how easy it is to install and update your software. "Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.

        I'm just surprised this didn't happen earlier, and I'm someone who likes these software repos.

        • Come on, one of the big draws of Linux is how easy it is to install and update your software.

          yeah and if you've ever used pacman that is 100% true. We aren't talking about pacman here.

          "Oh we never said it wasn't going to fuck your system up with malware" deserves a Powny prize.

          AUR is explicitly a repo for user contributions. There is no signing, vetting, or anything - anyone who can read already knows this. Again you seem to be mixing up official Arch packages from official repos via pacman, versus building whatever shit I throw together in AUR with yay. Absolutely not the same thing.

          • by Bahbus ( 1180627 )

            There is no signing, vetting, or anything - anyone who can read already knows this.

            But there could, and probably should, be. It doesn't even have to be complex. Otherwise it's basically pointless for AUR to even exist.

            • because first party repos are never attacked. theirs nothing to sign on aur because there all normally the same thing you can do on git. its just a set of scrips to make it easy,
      • Arch fanboi appears and argues against point I never made.

        Lol & Q.E.D.

        • by ffkom ( 3519199 )
          Arch opponent has obviously no clue about the differences of Arch and AUR packages and writes stupid comments. LOL & Q.E.D.
    • by svx ( 764251 )
      as an Arch user, I couldn't care less - never used AUR, never will... when people install some crappy "community" software, they better deal with the consequences
      • some things are only aur for example systemd-liberated you know for when they and force age nonsense on you.
      • by ffkom ( 3519199 )
        As an Arch user, I have looked into files on AUR a few times for a quick hint on what others did to compile a certain software for Arch. For that purpose, AUR is somewhat useful. If people like the risk of installing stuff from a random source on the Internet, they will find ways to do so, whether AUR existed or not. At least AUR does tell people they should rather review the few lines that the build scripts there consist of.
  • by drnb ( 2434720 ) on Saturday June 13, 2026 @03:06PM (#66190502)
    "Many Eyes" is a good thing, but it's been oversold. Having coding AI's scan everything will probably work out better in the long run. We're only at the early days, coding AI are also oversold in they own way, but it's a safe bet they will get better over time.
    • As a huge proponent of open source software, I no longer put much value in the "many eyes" argument. For me, the primary security advantage is the superior response time that many open source projects have to major vulnerabilities compared to their proprietary counterparts. Also, documentation and support are usually better for open source projects. Oh, and the feature set of mature open source projects is often better. Finally, if the owner/maintainer goes off the deep-end, there will likely be a fork
      • As a huge proponent of open source software, I no longer put much value in the "many eyes" argument.

        OK, well you're alone in that, because every software company has telemetrics of some sort or another to take advantage of the many eyes (users) and getting reports from them.

    • The AI s are just MORE eyes looking at the code trying to find flaws. Whether the people behind those eyes use the flaws found to make the code better (by patching it) or worse (by exploiting them) is a matter of human nature.

      • by drnb ( 2434720 )
        "Eyes" available to both open and closed source code. A potential win for all.
    • by ffkom ( 3519199 )

      "Many Eyes" is a good thing, but it's been oversold.

      Who said that files on AUR were reviewed by "many eyes"? AUR is specifically a repository for software only very few people want to install, so it is not unlikely that you are the only one to review an AUR build script (after the uploader).

      Having coding AI's scan everything will probably work out better in the long run. We're only at the early days, coding AI are also oversold in they own way, but it's a safe bet they will get better over time.

      The many "security issues" LLM based bots have recently found were programming bugs that nobody intended to hide - but which were non-obvious enough that they slipped through normal reviews. I would not expect contemporary "AI tools" to find malware that has been intentio

      • by drnb ( 2434720 )

        "Many Eyes" is a good thing, but it's been oversold.

        Who said that files on AUR were reviewed by "many eyes"?

        So the "many eyes" of open source legend is false? It doesn't really happen. Open source devs just link in libraries without reviewing the code, just like those evil closed source devs do?

        • by ffkom ( 3519199 )
          AUR hosts few-lines-long "PKGBUILD" script files uploaded by just anyone (who may not have written any substantial software ever), and that is an entirely different scenario than open source projects of significant size where it is realistic to assume more than one pair of eyes has looked at each commit.

          There are certainly also "open source devs" that irresponsibly include libraries from wherever, but that is a completely different topic unrelated to AUR. And unlike for closed source, in both scenarios us
          • by drnb ( 2434720 )
            (1) Some closed source devs also review 3rd party code and updates.
            (2) Closed source code is also sometimes available for review. Closed source sometimes has two types of license, binary and source, The source license often being more expensive. Like open source, a closed source licensee has access to the source code and the ability to modify, build, and distribute a binary. They do not have the right to distribute the source code. What open source and closed source license both do is let a user of 3rd par
  • Many eyes (Score:4, Insightful)

    by CustomBuild ( 2891601 ) on Saturday June 13, 2026 @03:10PM (#66190514)
    Are blind when everyone is indoctrinated into the same cult.
    • by ffkom ( 3519199 )
      "Indoctrinated" in what regard by which "cult"? Are you yet another drive-by commenter with no idea what AUR is, and more importantly, what it not is? Can you cite any source that claimed "many eyes" are reviewing build scripts uploaded to AUR?

      If we want to talk about indoctrination, we could ask why the title of this article is "Arch Linux Malware Incident". That is as misleading as if somebody wrote an article about "Slashdot Malware Incident" just because some commenter posted base64-encoded viruses in
  • It happens in FOSS as well. Or rather, FOSS is 90% crap, just as anything is (by Sturgeon's law). The problem is that mainstream commercial software is closer to 100% crap these days.

The finest eloquence is that which gets things done.

Working...