AUR Compromised - Almost 2000 packages affected - 20260611

Tell me about it - I get faced sometimes with 5 or 6 PKGBUILDS and historically skipped them without too much fuss… but obviously I’d never admit to that in public

But yes, being terminally lazy is a big problem that I have to fight against.

I do get my PKGBUILDS show up when I run yay,

~/.config/yay/config.json

    "editmenu": true

	"editor": "micro",

The entire config if you fancy backing yours up and pasting it for a test:

{
	"aururl": "https://aur.archlinux.org",
	"aurrpcurl": "https://aur.archlinux.org/rpc?",
	"buildDir": "/home/ben/.cache/yay",
	"editor": "micro",
	"editorflags": "",
	"makepkgbin": "makepkg",
	"makepkgconf": "",
	"pacmanbin": "pacman",
	"pacmanconf": "/etc/pacman.conf",
	"redownload": "no",
	"answerclean": "yes",
	"answerdiff": "",
	"answeredit": "a",
	"answerupgrade": "",
	"gitbin": "git",
	"gpgbin": "gpg",
	"gpgflags": "",
	"mflags": "",
	"sortby": "popularity",
	"searchby": "name-desc",
	"gitflags": "",
	"removemake": "yes",
	"sudobin": "sudo",
	"sudoflags": "",
	"version": "12.4.2",
	"requestsplitn": 150,
	"completionrefreshtime": 7,
	"maxconcurrentdownloads": 0,
	"bottomup": true,
	"sudoloop": true,
	"timeupdate": false,
	"devel": true,
	"cleanAfter": true,
	"keepSrc": false,
	"provides": true,
	"pgpfetch": true,
	"cleanmenu": true,
	"diffmenu": false,
	"editmenu": true,
	"combinedupgrade": true,
	"useask": false,
	"batchinstall": false,
	"singlelineresults": false,
	"separatesources": false,
	"debug": false,
	"rpc": true,
	"doubleconfirm": true,
	"rebuild": "no"
}

@CacheMeIfYouCan

pacman -Qm doesn’t list AUR packages, so it’s not showing up as an AUR package. -Qm lists all “foreign” packages, which are simply packages that are not found in any currently configured repository. These are not necessarily AUR packages.

@sortofsleepy

One of Arch’s downsides is that package maintainers don’t always update package dependencies properly, don’t configure a proper migration path and leave outdated or dropped packages hanging around indefinitely. Many have noticed this with jack. Even though jack2 replaced jack and provides the same dependency, existing installations of jack were not automatically migrated.

It sucks, but it is what it is. One should regularly check pacman -Qm, inspect the packages and act accordingly. If a package has been dropped and is no longer available in the repository databases, and nothing depends on it, just remove it. If other packages still depend on it, check whether there is a newer package that provides the same dependency. Installing that package will usually replace the dropped one.

For example, the proper fix for the jack situation was simply:

pacman -Syu jack2

No.

I mean I can’t be 100% certain but I’m reasonably sure I’ve never installed these packages myself as I’ve never had to, at least in recent memory, rely on the AUR before.

Thanks for the list of commands to run; it doesn’t look like anything appears to be associated with the kernel but I’ll have to take a closer look later.

Ah, thanks for the kick… pacman doesn’t distinguish… yay -Qm works better.

FYI, they’re onto new attack wave and they changed their attack approach…

Stay safe people!

Interestingly I have nothing in ~/.config/yay

Saying “just run yay” doesn’t mean you shouldn’t inspect the diff. May I ask, why do you have multiple AUR packages installed? I mean, I do as well, but I only use AUR when I have a good indication PKGBUILD is maintained by upstream devs. I always check diffs, and occasionally the whole script. Normally, carefully checking the whole PKGBUILD is required only the first time. Later you can only check diffs, which doesn’t take much time.

Also, when a package gets adopted and becomes part of say CachyOS repos, I’ll usually switch to that, although I’m not sure that’s always the right move. Sometimes I prefer having upstream devs maintain the package, but having a distro dev maintain it can definitely be beneficial. I recently switched from the Brave Origin AUR package (maintained by Brave team AFAIK), to the CachyOS package.

Edit:

Btw, why even use yay?

The same reason most people do, laziness. If I can’t find a package I want or need in the official repo then I look in AUR instead of building my own. My fault if I get problems.

“It isn’t and wasn’t ever supported” in Arch - but it is basically in CachyOS by providing paru by default. Look, you don’t have to teach me what the AUR is as I’ve been using Arch for ages. But one of the major problems is that CachyOS is used by a lot of Linux newbies (as it is easy to install) - and using the AUR is made too easy for them. I guess that most of them don’t read the PKGBUILD nor the diffs when updating. This is not how AUR packages are supposed to be used. That’s why I have objections to “I have no objection to EVERYONE using the AUR” as that means that uneducated users will walk right into a trap.

So let’s hope that some effective safeguards will be implemented indeed.

I meant specifically. Most useful stuff is either in the official repos, or it’s an actively maintained PKGBUILD by upstream devs, in which case I see no reason to build the package myself. The rest of the cases are rare and specific, and it’s even much rarer that someone really needs multiple AUR packages maintained by anonymous users.

If you check the current list of compromised packages, it’s mostly some fringe stuff from what I can see. Obsolete apps that have better alternatives, plugins for obsolete stuff that nobody needs, etc.

These kinds of attacks apparently target users who just go through the list of AUR packages and think, “visualstudio, sounds interesting, I should just install it.”, “Satanic Icons? Amazing.”

Or in other words, it probably targets users who have just migrated from Windows because of hype, recommendations from friends and don’t care about learning the basics. There’s no protection against that kind of behavior. People who follow some basic common sense should be safe, at least from this kind of attacks.

That makes sense. I agree, it doesn’t need to be made difficult, but just not supplying paru by default is a big step - and as Shelly is the new shiny default Software Centre, it should not be enabled by default there either.

Indeed they appeared completely laughable. there was a librewolf-fix-bin and a firefox-patch-bin uploaded by a new user.

You’d be perfectly safe if you never read the pkgbuilds, but did visit AUR and check out the developer, last update and so forth.

I’m not actually worried at all by this attack, and found the last one quite funny - but the Genie is out, and without some robust forward thinking it’s never going to stop… and it’s going to get cleverer… combining human intelligence with LLM analysis to find some new vectors.

That’s probably representative of packages in the AUR in general.

I will note that I noticed multiple packages in the list that were discussed on the forums recently or quasi-recently - some of which were once in the main cachy repo.

There are hundreds of orphaned packages with updates in 2026.

Obviously most of the packages impacted are junk but there are also some obvious holes it highlights where even reasonable people using the AUR for reasonable things would be impacted (at least to the degree of seeing and flagging a sketchy update)

The insane thing to me about downloading Linux software (as a former Windows user) has always been the attitude towards distro repos and downloading software. Many people treat this distribution model as more “secure” than windows because you can’t trick users into downloading software from a bad website.

Never mind that we’re taking software that on the “less secure” platform is provided (typically with a verifiable digital signature) and updated by the developer and in many cases (not all) putting that responsibility into the hands of a third party who we’re all just supposed to trust when adding extra parties to an equation never ever reduces risk.

It’s even worse with the AUR. And when something breaks people go, oh well you didn’t read the PKG build that time. Not a single person that I know is chasing down every single dependency every single update to make sure that a third-party maintainer hasn’t slipped something malicious into it.

The issue isn’t with the user reading a PKG build, the issue is that a completely unknown person can adopt and push software to an orphaned package or just create a new AUR package with a name mimicking common mission-critical software.

On my end it found an AUR package:
brscan3 (installed on 2026-03-05)
I never updated it since, and yesterday I uninstalled it and used the official source to install the scanner for my brother manually. As I am also not too experienced I used the AUR package before. Hope I did not get infected as such… What do you think? As long as it has not been updated in the past few days (or weeks), I should be safe, right?
Now that my system runs perfectly stable, I hope not to have to set it up again. And what’s worse, change all passwords stored in my Vivaldi browser

I don’t reCommended any one to save his passwords in Browser Any More save it some where else

pacman -Qmi

works a litte better, give you more detail like build date.

Cachyos include heroic-games-launcer from the AUR as part of the cachyos-gaming-applications meta package. This inclusion should be broken by removing heroic-games-launcer, let people select the heroic launcher if they want it from AUR, get it into the main repos, or offer the appimmage instead of including an AUR package in a group of packages that most newbie users are going to grab expressly because they want to do Gaming on Cachyos.

Hi can i ask what is this UI in screenshot, have hard time reading lines of code sometimes, I skip lines (ADHD) this makes it much more legible for me, and so easier to check

How can we check system integrity? the only aur packages I have came from cachyos (like heroic launcher) it seems im safe, but I am just curious how I could check to see if my system was okay?

also are we safe to update our systems?