Right, 100%.
Just in the case of people who hand-in-hand refuse to take the recommended precautions but also want the benefits of using the AUR, welp, caveat emptor.
i wasnāt aware of this, will do.
It may very well be that the offendig commit has been removed by AUR admins already.
Thatās not a PKGBUILD. Did it not open in a pager ?
Somwhere in between git clone and chmod +x is your chance to read the code.
If youāre yet uncomfortable judging a shell script, you should stay away from AUR, until you are.
What are you guys trying to do here? there are many packages from the AUR in the repos, apparently without verifications before package updates. You guys keep saying itās safe, how? How can you say that when thereās no verification at all? Hijacking can happen to any AUR package.
I feel like Iām going crazy or something. No one has any answers, just all is fine. Link some proof or something. Proof is not a few sentences in the wiki.
If I could, I would spend them on educating people to not curl pipe into shell.
(and more characters to please Discourse)
What do you mean?
It has been said before and again that the packages which are/were derived from the AUR are reviewed.
I have personally argued we should not provide any of the bin packages because it is of little value .. yet we do .. but I would also not make more of that than it is. Its a few dozen packages like brave-bin and not some sort of vast unchecked or infrastructural list of packages that are taken from there.
Not pipe unknown curls to shell.
Just like one should not install a PKGBUILD blindly.
Where? How? When? Is there a verification before updates? You keep saying this, but this doesnāt mean much.
Link something about this please.
Also the -bin PKGBUILDs are not different.
Every curl to shell is technically unknown.
Iām referring to this:
i.e. seeing a script in the browser and then piping it to shell can result in different code being provided by the server. Thereās typosquatting and even esoteric types of cybersquatting relying on randomly flipping bits, which would be a feasible attack vector for sites like github.
Just like paru asks you to verify the PKGBUILD (diff), one should curl to a file, bat the file and only then execute it.
Btw Iām not āattackingā anyone specifically with this pet peeve of mine. Itās, by now, an unfortunate habit to pipe curl to shell, that is ubiquitous in many install guides.
I understand you are trying to push a more secure set of standard operating procedures.
And as far as that goes I would agree.
But to take it further and simply declare the method itself as inherently bad just because it can be abused by adversarial control that I would probably not agree with.
Every instance you show of this being an issue relies on something being provided by a malicious actor - whether thats typosquatting (IE- wrong address, incorrect execution) or the supplier of the script nefariously showing one example in the browser and another to a shell. None of which applies, for example, to a script you yourself control.
Iām frightened. Should I turn on my CachyOS machine with networking enabled at all?
Frightened of what?
If you did not blindly use the aur - and specifically any of the problem packages during the campaigns .. then there should not be much related to this thread to be afraid about.
The team.
Here and on github when the issue has been raised.
Is this weaponized āconfusionā an attempt at trolling?
No one said bins are special in that they are immune to anything .. I simply point out their prevalence because they are the ones commonly adopted. And I am of the belief also that they offer little value being in the repos exactly because they are bins - users getting them from the AUR arent compiling them so they dont save anything.
Hey all,
Due to the current influx of malicious packages uploaded to AUR
registration of new accounts is currently disabled while we are working
on the cleanup.Thanks for your understanding.
Cheers,
artafinde on behalf of Dev Ops of Archlinux
15 Jun 2026 11:01 a.m.
Frightened of that the stuff I installed from AUR for reasons is affected and compronizes my machine sending sensitive info out once Iām online.
If you think you may have been affected then you may want to consider credentials like SSH as possibly compromised.
I think he is very panicked like many others. And Iām think he doesnāt know, how bins and self compiled packages work.
@mihalycsaba A good knowledged PC user should know, that bins are pre-compiled - they are like Windowsā EXE files. They can contain malware for sure but I think will be kicked out by AURās anti-malware system (if the have one). PKGBUILDS are not pre-compiled and must be compiled by your machine. These āscriptsā can be compromised to insert malicious code. These bad guys additionally used legit sources like npmjs.com to load that malicious code. So I think it makes it harder for malware detection.
In this AI era, you are able to learn faster and more efficient (particularly you prohibit the AI to hallucinate). But in case of IT hallucination isnāt really necessary because IT follows hard rules. But you also simply can use a search engine of your choice to learn something about pre-build packages and PKGs. Itās better than getting crazy. 
Keep in mind: Nothing is 100% secure! Launchpad was already compromised in the past and also Linux Mint was hacked to spread malicious ISOs. And there was also a case of malicious Flatpacks. The biggest security breach is human!
Iām also a bit worried if I been infected or not and run the script if there where new packages found. But I use big projects and they are 99% safe. And when you avoiding very old packages, you are also safe! I bet the AUR team works hard to clean this mess but it also needs a new security system to avoid such things in future.
This is why the biggest security upgrade is an educated human! Trust not to AI or randos on the internet, learn how things work and then youāre the last line of defense, fellow users.