www.it-connect.fr
Arch Linux Shuts Down AUR Signups After 1,500+ Compromised Packages
A wave of malicious packages has flooded the AUR, Arch Linux's community package repository. While cleanup is underway, Arch Linux has decided to suspend the creation of new AUR accounts. Here's what we know.
If you've tried to create an account on the AUR (Arch User Repository) in recent days, you were probably greeted by an unfriendly message: a 503 Service Unavailable error on the registration page. This block is no accident: it is a temporary decision made by the Arch Linux team in response to the security incident affecting the AUR. A radical way to shut off the tap, especially since the scale of the incident has only grown over the hours.
The initial estimate turned out to be far below reality: at first, the issue involved 400 packages affected by the cyberattack on the AUR. All of these packages were intended to deliver malware, including infostealers, to users' machines. But as the hours passed, that number kept rising: at least 1,500 malicious packages are now believed to have been published on the AUR.
For several days, cleanup has been underway to identify and remove all malicious packages. Why is it taking so long, you may ask? In reality, the AUR is a very active repository; just look at a few figures:
- More than 141,000 registered users,
- More than 107,000 packages,
- At least 270 packages added over the last 7 days, with more than 5,500 packages updated during the same period.
These figures show that this community repository sees significant activity. More importantly, they also show that it plays a key role for Arch Linux users.
The Problem with Orphaned Packages
There is another number to keep in mind: more than 13,000 packages are orphaned (abandoned by their original author). To prevent these packages from being permanently abandoned, the AUR allows a new maintainer to take over an orphaned package. That's the open source spirit. The problem is that attackers abused this system to push malicious updates.
As checks continue, new infected packages are being discovered. It is a long and time-consuming job, but an essential one to clean up the AUR.
On your side, let me remind you that you should inspect the PKGBUILD files and installation scripts before installing or updating any package from the AUR. That is the channel through which malware is distributed. Above all, two things should raise a red flag:
- A package has recently changed maintainers,
- An unmaintained package suddenly received an unexpected update.
Following this security incident, I struggle to see how the AUR can continue operating in the same way. Otherwise, this will inevitably happen again. The Arch Linux teams are certainly evaluating ways to strengthen AUR security, especially for orphaned package adoption.
Finally, note that the AUR remains online and the packages are still accessible. Only the creation of new accounts is currently unavailable.
