Arch Linux AUR Purges Malicious Commits From 400+ Packages as npm Payloads Hit Installs
Updated
Updated · linuxiac.com · Jun 11
Arch Linux AUR Purges Malicious Commits From 400+ Packages as npm Payloads Hit Installs
3 articles · Updated · linuxiac.com · Jun 11
Summary
Arch contributors are removing malicious commits and banning accounts after user-contributed AUR packages were altered to fetch npm-based payloads during installation.
The injected changes added npm commands unrelated to the original software; one cited example is the alvr package, which normally does not use npm.
The incident is limited to the Arch User Repository, not Arch Linux’s official package repositories, while the community tracks affected packages in a central mailing-list thread.
Arch users are being told not to update AUR packages without review, to inspect PKGBUILD diffs and new .install files, and to treat unexpected npm behavior as a possible compromise.
The full scope is still being assessed, and the list of affected packages may change as cleanup continues across more than 400 reported packages.