Press "Enter" to skip to content

Arch Says ‘All’s Clear’ After AUR Malware Incident Affects 1,500 Packages

Arch says it’s scrubbed all known malicious commits, but the 1,500‑plus affected AUR packages are a fresh reminder to “trust but verify.”

Editor’s note: Since this article was published, AUR’s maintainers have been finding additional packages, laden with more sophisticated malware, in the repository. Read our continuing coverage.

Yesterday we told you about Arch Linux’s AUR repository being infested with hundreds of malware-infected packages. At the time, more than 400 packages had already been removed (along with committers’ accounts) after being found to contain malware. Arch users were being advised to not download and install packages from AUR until the situation was resolved.

Later in the day, Arch Linux packager Jonathan Grotelüschen posted a notice to Arch’s mailing list that effectively said it’s safe to go back in the water.

** If our coverage matters to you, please consider supporting our work through our FOSS Force Independence 2026 fundraiser. **

“I believe that at the moment we deleted all the malicious commits we know of,” he said. “Thanks to everyone for reporting packages. A list containing many (but not all) of the affected packages can be found here: https://md.archlinux.org/s/SxbqukK6IA.”

In all, more than 1,500 packages were affected.

AUR, or Arch User Repository, is a repository that should always be used with caution, since all of the packages it contains are committed unvetted by Arch users. A keyphrase for dealing with the repository has always been, “trust but verify.”

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *