400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers

RedditRefugee69420@lemmy.world · 15 days

Tons of clawing at each other’s throats in the comments here, largely declaring one another retarded for their use or misuse of AUR or thanking their lucky stars that none of their packages are on the list (so far), but not much that’s helpful for those less fortunate. Maybe nobody’s saying anything to that end because the article already covered it, but this is the second out of two times I’ve visited cybersecuritynews.com and been stuck in an “Are you a bot?” loop that never ends no matter how much of my browser’s safeguards I peel off.

Here’s what steps I did so far, based on following the links I found in this thread (especially the GitHub comments under one of the links):

pacman -Qm in console yielded a list of all the AUR packages that are installed on the system
CTRL+F the results one-by-one in the apparent most up-to-date list: https://md.archlinux.org/s/SxbqukK6IA
I have one on that list, specifically wine-nine, so I ran bat --style header,snip,changes /var/log/pacman.log | grep wine-nine which yielded the following (at the bottom of a very long list of apparent updates I’ve run since installing the OS):

[2026-06-05T20:37:06-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-07T21:50:58-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-08T20:56:54-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-09T21:38:44-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-10T21:58:52-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

[2026-06-12T20:18:37-0400] [ALPM-SCRIPTLET] wine-nine 0.10-1

(Like a good little Arch user I’ve been updating pretty frequently)

Now what?

I saw something that said “check for suspicious processes running as root” but I have no idea what that would look like.

I saw something that said I need to redo all of my passwords and tokens. Any way to check if that’s necessary or should I just assume I’ve been pwn3d?

In using pacseek I think I’ve discovered wine-nine hasn’t been modified in the AUR since “2024-12-07 - 15:18:31 (UTC)” so can I relax a bit? I’m currently going through my list of AUR packages and deciding whether or not I need them as badly as I originally thought. Sadly my distro is one of those that decided to lean on AUR, because most of my list (apart from two) I don’t recognize as something I’ve installed myself.

pacseek would not let me remove the following AUR packages (which thankfully are not in the list (yet)):

:: removing electron41-bin breaks dependency 'electron41' required by deltachat-desktop - an encrypted chat application I installed (not via AUR) I suppose I could find an alternative for

:: removing electron41-bin breaks dependency 'electron41' required by freetube - a YouTube frontend I installed (not via AUR) I suppose I could find an alternative for

:: removing libsoup breaks dependency 'libsoup' required by webkit2gtk - no idea what webkit2gtk is

I only just now realized that chaotic-aur is probably just as problematic as AUR, both in my decision to use packages at all as well as my searching the list of compromise packages, yes? I have tons more packages under that, most of which I think came with the OS.

Crozekiel@piefed.zip · 14 days

Chaotic is not just as problematic, thankfully. They have systems in place to flag suspicious changes for human review before letting them out and it has, so far, prevented them from shipping any compromised updates.

I thankfully hadn’t updated anything from the AUR for a couple of months (it doesn’t happen by default when I update the rest of my system) and was unaffected, and after looking at the list of things I had from the AUR, I didn’t need any of them… So I now have zero AUR packages on either of my systems.

RedditRefugee69420@lemmy.world · 4 days

Ironic, given the name.

I’m very new to Arch so I’m still confused as to where I stand. Hopefully I haven’t been pwned. Sadly, my distro includes AUR packages by default.

Crozekiel@piefed.zip · 3 days

My distro (Garuda) included a couple back when I originally installed it, but doesn’t use them currently (namely wine-nine - which was affected) but the built-in system update didn’t touch AUR unless you explicitly tell it to, so that saved my bacon in this situation (my AUR packages hadn’t been updated in 2 months).

RedditRefugee69420@lemmy.world · 16 hours

How do I check to see if that’s the case for me too?

As I showed above, I also had wine-nine, but I can’t tell if that log is listing all the times wine-nine was updated or all the times I updated with wine-nine installed.

I’m leaning toward the latter given it was just listing wine-nine 0.10-1 repeatedly, implying it never updated past that in the dangerous period, right?

Tetsuo@jlai.lu · 17 days

I hope all the Arch based distros will do a proper post to inform their users on how to cleanup afterwards.

I’m hoping at least cachyos, the distro I use, will tell me exactly how to check and clean my system.

I remember that when I installed a few of my AUR package, I was well aware that this repo was pretty much unregulated and that I just have to trust it’s safe. So I made sure to only use AUR as a last resort. But there was warnings on cachyos that were displayed to tell me to be cautious about it so that’s at least a positive.

yesman@lemmy.world · 17 days

The article has instructions to do exactly that.

Users who regularly install AUR packages should take the following steps immediately:

Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages

Audit recent PKGBUILD history for any packages installed between June 10–12, 2026

Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed

Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit

Consider using AUR helpers with PKGBUILD review prompts enabled by default.

The Checklist of infected packages

Tetsuo@jlai.lu · 16 days

Ok, but I was expecting something a bit more automated then opening a list of package in kate and comparing it to my list of installed AUR package… Plus it’s 400 package so that’s a lot of things to check and plenty of space to miss one package by manually checking.

But I get it I’m lazy and just need to script something myself. This is affecting so many people I thought we would have a script to check quickly if you are “infected”.

Edit : thanks for the numerous script sent as reply ! But I’m all set now, thanks !

Holytimes@sh.itjust.works · 17 days

how many aur packages do you have? Most people i know have like AT MOST 20 or so packages from the aur. Which takes less then 2 mins to manually check against the list.

Tetsuo@jlai.lu · 17 days

I’m not home for a few days so I can’t check yet.

But I think I have something like 3/4 packages at the most.

But I need to compare that to a 400+ list I’m not sure I agree with you it’s that easy to do rigorously.

hoppolito@mander.xyz · 17 days

Not sure I understand - if you only have 3-4 packages you can just search for them specifically in the long list?

Even if you have 50 or 100s of packages, bash makes it pretty doable

comm -12 <(sort -u file1.txt) <(sort -u file2.txt) > common.txt

Should spit out only the packages appearing in both lists (done by memory so may not be 100%)

0x0@infosec.pub · 16 days

Do you have anything that will wipe their butt too?

0x0@infosec.pub · 16 days

You could probably find it on aur lmao