What an annoyingly uninformative title. Better title: a lot more compromised AUR packages have been found since our last update.
"A lot worse" is intentionally vague to get people to click.
this post was submitted on 14 Jun 2026
170 points (94.7% liked)
Linux
65853 readers
365 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
Vagueposting clickbait? On the internet!? For views and clicks!?! The website is AIDS it's so full of ads!?
At least some level of human review is going to be needed.
So... completely negating the point of a User Repository??? Introduce some kind of authoritative oversight, and it's essentially just another regular repository, erasing all the benefits of the AUR. The whole point of the distro slapping a huge disclaimer of "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." at the top of the homepage is because these kind of compromises are the trade-off one makes
Anyone can publish his PKGBUILD script on their codeberg or github page.
TLDR: Open package repositories without some approval and oversight system, like AUR, will have even more problems in the future due to advanced coding AI and malicious ~~foreign~~ hackers.
Edit: Please normalize TLDR's on bot posts with just a link.
Edit 2: I have been rightfully informed that this is not a bot post. I still think links should not be posted without a tiny abstract, one might say: a TLDR.
I have also been informed that the text does not spell out "foreign". This is correct. The text does say
Not all of the packaging issues are as bad as the initial wave of trying to steal credentials, some are just adding ridiculous messages in Russian.
This implies but does not establish the nationality of attackers. While Arch has contributors from all over the world, it is commonly cited as being a Canadian distribution (example, see below). https://distrowatch.com/table-mobile.php?distribution=arch
"Foreign hackers"
Foreign to who?
The article never said "foreign", you made that up.
load more comments
(1 replies)
I remember the good ole days when nobody cared enough about Linux to spread malware to it. Sigh. All these techbros that need to j their d to their power trips, dystopian surveillance, and shitty AI companies have probably started this. I even noticed a Linux hate sub on Lemmy. Imagine there being enough people forced to use Linux to create a hate community where they favor Microslop. Such strange times we live in.
load more comments
(1 replies)
OP is not a bot
Then they should've included a short TLDR even harder
It's a very short text
load more comments
(1 replies)
AUR is still working as intended. It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place. It has always been the user’s responsibility to review everything or avoid using it.
I think I'd be satisfied with just not allowing people to take over orphaned packages. That seems like a glaring attack vector and closing it would not harm the AUR in any way.
And yea, arch (and its derivatives) probably should not ship with AUR helpers pre-installed.
arch doesn't ship an aur helper pre installed. It's the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it's safe to use as is
It’s the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it’s safe to use as is.
So, Arch users do not depend on AUR? If so, that's easy to fix. Just delete any mention of AUR from the Arch wiki.
The Arch Wiki describes the AUR in plain terms: it's a user-submitted community repository of software, not warranted to be safe or even vetted by Arch maintainers, packaged to be friendly with pacman.
If you're doing things the "Arch way" the differences between the AUR and officially supported packages should be obvious, and you should at the very least skim the PKGBUILD files to understand where things are coming from and how they work.
load more comments
(1 replies)
Now's our chance, it's time for a hostile takeover from my fellow "i use nix btw"s!
I am actually enjoying most of it, yeah.
The command pacman -Qm will display every package from the AUR on your system. You can then search the list of compromised packages.
To be clear, -Qm displays installed packages not currently in the repositories. This will include AUR packages, but I avoid the AUR (except for davmail years ago) every once in a while I'll run it just to check and sometimes it finds packages.
When you install things from the main repos the dependencies get installed too, and if those dependencies are no longer needed they'll be removed from the repositories. (I also have a bad habit of forgetting --asdeps when installing optional dependencies.) Sometimes they'll conflict with a new dependency and pacman will ask to remove and replace them, but other times the functionality has become a part of an existing package, so with no conflict to prompt removal they'll just sit unused on your install. If you haven't tried -Qm in a long while you'll probably find a few harmless currently-unused packages that were installed through the normal repos. (-Qdt will cover the other cases where dependencies remain in the repos but are now only needed for packages you don't have installed.)
Obviously -Qm will also show removed packages that aren't dependencies, a few years back my preferred pdf viewer was removed from the repositories.
-Qm will also find manually installed packages that aren't in the AUR if you ever do that.
load more comments
(20 replies)
Me, a Debian user, watching that shitshow 😎
Debian users should receive their news 6-12 months after everyone else, change my mind
/s
Some people likes tested and stable software. It's weird.
Don't forget that all the Arch users are doing a good part of that testing, too. Arch is a boon to Linux in general.
Out of date and stable software you mean.
Honestly, not even stable. Just arbitrarily frozen. Oftentimes with later releases having bugfixes that the user won't see for another few years.
load more comments
(1 replies)
That's optimistically quick
Sincerely,
A Debian user
Should? Don't you mean already do?
Huh, you really feel schadenfreude over another reputable project being hit by/having to deal with malware? And all the people who might be affected by it?
That is not something that would ever cross my mind.
load more comments
(2 replies)
Whoa, this is blowing up. Chill, guys. I really think that sucks. If anything, with Arch being bleeding edge and all of that, at least you're showing early the tough wake up the other distros will have to do in relation to malware after Linux' increasing popularity. Time to brush those SELinux and apparmor bits, even.
But, now, we Debian users are okay, (btw, 😎).
Upside to Debian! Never have to worry about shit like this. Downside to Debian, you have to use Debian.
More like: Upside to Debian, you never have to worry about the latest malware and bugs! Downside to Debian, you have to use yesterday's everything…
I use Debian for everything, and the only thing I've updated to the current (non Debian distribution) version is Docker, which I use for a game. But this isn't a problem, because it's Debian, so the Docker people make packages for several recent Debian releases.
I don't miss the bleeding edge. That issue a while back where someone infiltrated a basic library didn't affect me. The software I use might have bugs (what software doesn't?), but by the time I get it, it has been well tested for security issues.
I'm pretty happy with my switch to Debian. I'll admit I'm curious about Bazzite for my gaming computer, but even then, it's like, "Why? Debian is doing just fine."
But I'm not laughing at anyone. This is a scary new variety of attacks we're seeing, and there's no real reason one couldn't end up in my computer. Reminds me of the old one where someone slipped a backdoor into a compiler.
load more comments
(2 replies)
Nothing says "socialist vibes" like gloating over other Linux users
Using Linux is not a dick measuring contest (and man I hate these threads asking "why is your distro the best?" - it feels like trolling and sowing division and grief to me. A bit like asking a mother "What is your favorite child?".)
But apart from that, I think we can all agree that security of AUR packages is no good enough, and that this deficit is by design.
load more comments
(1 replies)
Me, a NixOS user, watching folks fighting over a bunch of legacy distros 😎😎😎
AUR has never been a good idea. I don't use it and this news proved me right.
Does that mean a distro official package manager would be immune to infections? Of course not, but they do offer a more secure distribution system and build greater trust. Minimizing the chance of malware being spread through their means.
Edit: If you have the knowledge and time to inspect the AUR packages you install, AUR might be good for you. I have none of these, that's why I stick to my official distro packages (and sometimes also some flatpak but from official sources)
It's just a repository of user-contributed packages. It's no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that's on you. It's basic internet safety to not automatically trust random scripts you find on the internet.
load more comments
(3 replies)
AUR has never been a good idea. I don’t use it and this news proved me right.
But is Arch sufficiently complete without AUR packages? It is being criticized - and rightly so - that the magnificient Arch Wiki is full of references to AUR packages. That could in fact mislead new users.
I am an happy Arch user, since about ten years... But I use it differently. I am running Debian stable on the hardware, which has all the drivers I need (after getting rid of NVidia graphics, which was just a mistake to buy). I use Debian for my work / office / productivity system, to read email, and so on.
But for some stuff, I need newer software: For trying out new features or libraries (I am a developer). For testing out new window managers. Leisure programming. And so on. I use Arch for this. After a few years of dual booting (which caused occasional breakage), I settled on running Arch in a VM. Which works fine for me.
And the last shift I am experiencing is that I use more and more the Guix package manager. The reason for this is that when one tries out a lot of things, and does only system upgrades for many years (which means not doing a reinstall, but replacing the oldstable packages with the newer stable packages), the system becomes a bit untidy over time. Old packages, scripts, and configurations accumulate, and it is hard to get rid of it without breaking things, because one just cannot delete everything one does not remember what it was needed for. And there is so much stuff in software that, after all, turns out to be not such a good idea. Yes, a fresh OS install leaves a tidy system, but it would cost a few days. (By the way, accumulating cruft in the long term is also somewhat of an disadvantage of rolling release distros.)
Now, Guix solves that, because I have a temporary, deterministic environment for every programming project (just like a Python venv). And by this way, stuff does not contaminate the base system, and is garbage collected when it is not used any more.
And, Guix has quite recent packages, similar to Arch.
Now I use Arch less and less.
Is Guix the GNU approach to NixOS?
So if nixos is the new I use arch btw is guix the new I use nixos btw?
Lol
load more comments
(1 replies)
Yes! And everything is based on hashed source code - this guarantees long-term reproducibility, avoids vendor-lock-in with proprietary binaries and drivers (and that's why some companies hate it), but above all makes much easier to inspect what is in a package.
load more comments
(2 replies)
load more comments
(2 replies)
load more comments
(1 replies)
Where at "I use Arch btw" now?
I use arch btw, it's only effecting the arch user repository, which lives separately from the maintained repositories, it's not even possible to download stuff from there with pacman. Really it's just a community space, I also have packages there. You can download pre-packaged apps, so if you install them, you will be able to remove them with pacman. I think it's a great concept.
it's like a forum where some jerk writes "use 'sudo rm -rf /' to speed up the computer". Except you don't have to read it to execute their plan.
Flathub is also concerning btw. But at least those apps are containers (with too much permissions)
view more: next ›