Is this the first time AUR has been compromised to this degree?
Given how changes are often unvetted, I am surprised this hasn’t occurred before.
I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.
I’m hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.
I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it’s safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that’s at least a positive.
The article has instructions to do exactly that.
Users who regularly install AUR packages should take the following steps immediately:
Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages
Audit recent PKGBUILD history for any packages installed between June 10–12, 2026
Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed
Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit
Consider using AUR helpers with PKGBUILD review prompts enabled by default.
Ok, but I was expecting something a bit more automated then opening a list of package in kate and comparing it to my list of installed AUR package… Plus it’s 400 package so that’s a lot of things to check and plenty of space to miss one package by manually checking.
But I get it I’m lazy and just need to script something myself. This is affecting so many people I thought we would have a script to check quickly if you are “infected”.
It took Arch ~19 years just to get
archinstall.Something tells me there won’t be a script.
The link is a script
A lot of those 19 years were times where only nerds used arch.
CachyOS community seems to have a detection script, I have not vetted this run at your own discretion.
https://discuss.cachyos.org/t/aur-compromised-400-packages-affected-20260611/31040
I haven’t used kate but does it not have some sort of easy search?
ex. pacman -Qm to list AUR packages; should display the 3/4 pkgs you have installed. Then just search in kate for those 3/4 results?
Alternatively cat & grep in the terminal is pretty straight forward.
That is if it’s 3/4 pkgs that are from AUR, but if someone has hundreds installed that is a bigger issue on its own.
how many aur packages do you have? Most people i know have like AT MOST 20 or so packages from the aur. Which takes less then 2 mins to manually check against the list.
I’m not home for a few days so I can’t check yet.
But I think I have something like 3/4 packages at the most.
But I need to compare that to a 400+ list I’m not sure I agree with you it’s that easy to do rigorously.
Not sure I understand - if you only have 3-4 packages you can just search for them specifically in the long list?
Even if you have 50 or 100s of packages, bash makes it pretty doable
comm -12 <(sort -u file1.txt) <(sort -u file2.txt) > common.txtShould spit out only the packages appearing in both lists (done by memory so may not be 100%)
Here’s a script:
https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992
Damn how long is the list when you
pacman -QmAm I missing something ?
Just because I have 3/4 package on my system doesn’t mean the 400+ list of affected package gets shorter on the other side…
I’m actually pretty cautious with AUR and I only install them when there is no other options.
Especially for a small list, 3-4, that you actually need to check, what’s the actual issue? Open list of 400, ctrl+f for the few names you care about, move on.
I was just curious because I didnt think it was so tediuous to check against an alphabetical list on a website using ctrl+f. But thats just me. It took me less than a minute to check my 8 aur packages against the list
Holy shit it’s like all of Python.
Yeah, Python has been a massive vulnerability for a long while. And the AUR has similar issues. This is only getting widespread coverage now. But it’s always been a risk.
Well, those are mostly extension libraries, stuff “normally” installed using pip. Arch is kind of unique that they encourage using system aur over pip, npm and other package managers. While it is a big radius, none of the python packages stick out to me, but maybe I just haven’t encountered the popular ones.
The attackers specifically targeted orphaned projects on AUR so it’s no wonder most of those aren’t familiar to us.
I have always been nervous about this type of thing happening with the AUR. Thankfully many packages I used to need the AUR for have since added native versions or made flatpaks. I hope AUR users don’t have too many issues from this!
flatpaks arn’t any safer and with how poor the sandbox is handled by 99% of devs. Hell flatpaks have a new issue every other month. Its almost more often to see a new flatpak problem then aur problem.
Its literally no safer in reality sure on paper its safer but reality has proven that flatpaks just are not some magical fix to this problem.
Hell half the time when flatpaks do have issues they go unaddressed or fixed for months after they are found. While AUR problems get smacked real fucking fast after they are found.
The one positive with flatpak is that it allows for universal deployment. A lot of projects are providing official builds. But you are still relying on them to vet what they put in.
I wish Arch packages as much in their repos as Debian.
I think there was a word missing.
To respond to what I think you were saying, this event happened in the Arch User Repository, and not the official repositories.
Arch is very clear that they are not responsible for what goes on in the AUR. For example on https://aur.archlinux.org/ :The Debian equivalent would be somewhere between extrepo and PPAs.
I think the comment makes sense, if more packages were supported on the main Arch repos there would be less of a need to use the AUR or Flatpaks.
There are definitely some big gaps on the Arch repos (web browsers in particular) that I would like to see improved.
You’re right, but web browsers can be pretty brutal to build and they are for sure never going to add -bin versions.
maybe i went offtopic but i was comparing the AUR To Debian’s repos, i see that Debian has more packages in its repos(things like Llama-CPP and Open arena is in debian but arch needs the AUR)
thats what i meant
Can’t load the article but I assume Arch’s rolling release way of doing updates makes this quite the disaster.
Eh, depends really. The AUR is not the default place to install software from, it’s all user created and comes with warnings almost anywhere you have access to it. I’ve generally used Octopi to install packages and you have to jump through some hoops to even have it show you packages from the AUR. Generally, running updates for the system, from the Arch flavors I’ve used anyway, by default doesn’t update packages installed from the AUR and you generally update them deliberately and separately. As an example, on my Garuda systems I only have 3 packages installed from AUR and they are so rarely used I forget about them a lot… I’m a bad sysadmin for myself and they don’t get updated nearly as often as the main system packages.
But, do other people use their system differently? Absolutely. They have likely ignored several warnings (or read them and accepted the risks) to get there though.
flatpak has a sandbox
Be careful with relying on it though since it has more holes than swiss cheese due in part to lazy devs who request unesecary permissions & the sandbox being slightly flawed from a security perspective.
A sandbox that has enough protection to be secure also has enough restrictions as to be too annoying to use, and often is useless. Don’t get me wrong, sandboxes can be very good, but only in specific situations. In general you need your applications to be secure without a sandbox.
What do you mean, don’t you love a text editor that can not open any file on your system?
