All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.
First reported by Hacker News
Over 400 AUR Packages Compromised with Infostealer and Rootkit by Malicious Maintainer

Arch Linux AUR Hit By Second, More Sophisticated Malware Wave After 1,500+ Packages Compromised

By

Written by Michael Larabel in Arch Linux on 14 June 2026 at 06:32 AM EDT. 45 Comments

23h ago· 2 min readenNews
Bagel score 70 of 100
70/100
Toasty
Bagelometer

Lightly browned and well buttered. A solid pick from the rack.

Score70TypenewsSentimentnegative

Summary

Arch Linux's AUR (Arch User Repository) has been hit by a second wave of malware attacks, just one day after developers thought they had contained an initial incident that affected over 1,500 packages. This new wave is more sophisticated, employing code obfuscation to conceal malicious intent. The affected packages include various Node.js packages, a Plasma 6 applet, Firefox packages, the Aura browser, LibreWolf extensions, a NeoVim plugin, and others. The malware was reported by developer a821.

Key quotes

· 3 pulled
Just a day after Arch Linux developers believed they got their malware AUR incident under control with 1,500+ packages affected by malware, another round of of AUR malware is now being discovered.
This latest round is more sophisticated as with code obfuscation to better conceal the intent.
Various Node.js packages, a Plasma 6 applets package, some Firefox packages, the Aura browser, LibreWolf extensions, a NeoVim plug-in, and various other packages were all found with malware via obfuscated code.
Snippet from the RSS feed
Just a day after Arch Linux developers believed they got their malware AUR incident under control with 1,500+ packages affected by malware, another round of of AUR malware is now being discovered

You might also wanna read

Over 400 Arch Linux AUR Packages Compromised in Malware Campaign

A large-scale malware campaign compromised over 400 user-supplied packages in the Arch Linux User Repository (AUR). Arch Linux maintainers h

buff.ly·2d ago

Arch Linux AUR hit by wave of malware-infected package descriptions

The Arch User Repository (AUR) is experiencing a large-scale attack where malicious actors have taken over hundreds of orphaned package desc

heise.de·3d ago

AI-Generated npm Package Leaks Its Own GitHub Token, Exposing Malware Operator

A malicious npm package named mouse5212-super-formatter, identified by OX Security, was caught leaking its own hardcoded GitHub token. This

infosecurity-magazine.com·16d ago

Attacker publishes 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries

A single npm user published 14 malicious packages over four hours, impersonating popular OpenSearch, Elasticsearch, DevOps, and environment-

briefly.co·16d ago

npm malware targeting Claude users leaks own GitHub token, reaches 676 downloads

An npm package called "mouse5212-super-formatter" targeting Claude users acted as information-stealing malware, reaching 676 downloads befor

theregister.com·16d ago

Microsoft open source packages compromised with credential-stealing malware targeting AI coding agents

Dozens of cryptographically verified open source packages from Microsoft were compromised to include advanced credential-stealing code that

arstechnica.com·6d ago