Arch Linux developers thought they had sealed a massive AUR malware breach that infected more than 1,500 packages. Within 24 hours a new wave surfaced, this time embedding obfuscated code to hide its payload. The compromised set spans Node.js utilities, a Plasma 6 applet bundle, several Firefox extensions, the Aura browser, LibreWolf add‑ons, a NeoVim plug‑in and other community modules, and calls for immediate remediation.

Developer a821 flagged the latest infections late Thursday, confirming that the tainted packages had been removed from the repository. Hours later, security researcher Nicolas Boichat employed a local Gemma E2B AI model to locate additional malicious snippets, noting a more elaborate obfuscation around the Bun command. Boichat’s findings recently suggest attackers are refining evasion techniques to survive community vetting.

The recurrence has reignited calls for tighter controls on the user‑maintained AUR, which functions as a de‑facto package marketplace for Arch. Critics argue that without automated scanning or mandatory signatures, the repository remains a fertile ground for supply‑chain attacks. As maintainers scramble to audit submissions, the incident underscores the need for systematic safeguards rather than ad‑hoc clean‑ups.