Arch User Repository Removes Over 400 Software Packages Compromised by Malware

The Arch User Repository (AUR for short) is a community-driven software repository for Arch Linux and its derivatives, often touted as one of the major benefits of using Arch Linux, due to its unmatched software availability. Unfortunately, it was recently discovered that several malicious accounts—it’s unclear whether they belonged to a single bad actor or multiple users—had made submissions to some AUR packages to inject malware that added the NPM package manager, which would go on to install a keylogger or info stealer when affected apps were installed. The issue was detailed in a recent AUR public mailing list thread, where over 400 packages were analyzed and found to be malicious by the Arch Linux community and its maintainers. It doesn’t seem as though any packages were outright removed, though, with junior package maintainer, Jonathan Grotelüschen, commenting in the thread that the maintenance team was “working hard to reset/delete all malicious commits and ban the
accounts.” Regardless, it might be prudent to hold off on updating any Arch distros until it’s confirmed that the purge is over, especially if you know you have AUR packages installed.