Security

Community repo freezes new accounts after attackers swamp it with poisoned package updates

A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning while it cleans up the mess.

The issue was first acknowledged on June 12, with a post stating: "We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository."

The team warned that users might have issues opening new accounts, pushing package updates, and adopting or creating fresh packages.

Around 400 user-submitted packages were believed compromised; that figure climbed past 1,500 over the weekend. On June 14, a more sophisticated wave of malicious packages was spotted. The Arch Linux team this morning disabled new account registration "while we are working on the cleanup."

The core Arch distribution itself is unaffected. The AUR is a community-run package repo – if something isn't in the official repo, it's probably here, assuming nobody's poisoned it. The AUR is user-submitted and unsupported, so users are expected to inspect package build files themselves before installation. The malicious packages attempted to pull in hostile JavaScript dependencies, including npm packages identified in the campaign.

Arch Linux is a fast, lightweight Linux distribution. It isn't for beginners – users need to pick their own display manager and desktop environment as well as their own applications. However, this makes it highly customizable.

The project's website says: "Currently we have official packages optimized for the x86-64 architecture. We complement our official package sets with a community-operated package repository that grows in size and quality each and every day." Unless, of course, miscreants go wild with malicious commits, and the team has to wade in to deal with the problem.

According to the AUR, there are just over 107,000 packages, with 5,586 updated and 273 packages added in the past seven days.

This isn't Arch Linux's first brush with trouble. In 2025, the project was hit with a Distributed Denial of Service (DDoS) attack that disrupted its main web page, the AUR, and the project's forums. It also had to address compromised browser packages that reportedly contained a Remote Access Trojan. 

Both incidents highlight risks in the way the AUR is structured and maintained. It's an invaluable library of packages led by a community of smart Arch users, yet that open, community-driven model can be abused by attackers.

New account creation remains disabled at the time of writing. The Arch team will no doubt be pondering how to avoid this situation in the future. ®