ARCH Linux round 3 distributing malware

Security
1

arch #Linux round 3 distributing malware. Some time ago we’re running alternative arch image which where based on as example CachyOS. Unfortunatly we found out it is very esasy distributing malware by the ARCH repos. Since Arch did do something to protect their repo we just stopped supporting it, It’s a real shame, but having malware in the repo is simply unacceptable. This is the third wave in just two years; it seems they haven’t learned a thing. Personally, it’s a great pity distributions like #CachyOS, #EndeavourOS, and #Manjaro are excellent but distributing viruses or malware is a total no-go. A shame.

What Exactly Happened This Time?

According to a recent report from GamingOnLinux, over 400 packages in the Arch User Repository (AUR) have been compromised. The attackers exploited the fact that the AUR has thousands of “orphaned” (abandoned) packages. They simply created new accounts, mass-adopted these abandoned packages, and pushed malicious updates to them.

Because the AUR is completely community-driven and lacks enforced moderation checks, adopting hundreds of packages at once didn’t trigger any automated red flags to prevent the takeover.

How the Malware Works

The attack methodology was cleverly disguised to execute malicious code with maximum privileges. Here is how the attackers poisoned the packages:

  1. Dependency Injection: The malicious maintainers added npm (and in later ongoing attacks, bun) as a dependency to packages that previously didn’t require it.

  2. Contact Alteration: They changed the original maintainer email addresses to generic Gmail accounts.

  3. Root Execution: The attackers bundled a .install file that executes a post-install hook when a user installs or updates the package using pacman or an AUR helper. This hook silently runs an npm install command (fetching packages like atomic-lockfile, axios, and got) directly as root.

  4. The Payload: Security analysts suggest the payload attempts to install an eBPF kernel module to disguise itself, acting as an insidious keylogger and credential stealer.

Because building the package with makepkg usually runs without root access, the PKGBUILD itself doesn’t trigger the malware. It only executes when the package manager actually installs the software on your system.

The Structural Flaw in the AUR

While the official Arch Linux repositories were completely untouched by this, the incident highlights a massive blind spot in the Linux desktop community’s security posture.

The AUR operates on a “use at your own risk” model, placing the entire burden of security on the user to manually inspect every PKGBUILD and .install file before running an update. For an average desktop user who just wants to run a quick system update, that level of vigilance is unrealistic. With the rise of AI tools, scripting these mass-takeover attacks has become easier than ever.

Until the AUR implements strict moderation protocols for adopting orphaned packages or limits the rate at which accounts can claim them this ecosystem remains vulnerable and it is just NOT useable. If you are currently running an Arch-based distribution, it is highly recommended to audit any recently updated AUR packages or pause AUR updates entirely until the repository is scrubbed clean.