frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

AUR Packages Compromised with Infostealer and Rootkit

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577
86•keyle•6h ago

Comments

UI_at_80x24•1h ago
Here's an easy script to scan for compromised packages:

https://cscs.pastes.sh/aurvulntest20260611.sh

Not my script. It's easy to read/parse. Never pipe a script directly to bash.

sva_•1h ago
It isn't guaranteed that the list is conclusive.

Always check PKGBUILD and sources, AUR is not to be trusted for the most part. I'm actually more surprised that such compromise hasn't happened earlier.

matheusmoreira•1h ago
The Arch Wiki does note that malware has made it into the AUR several times before.
datakan•9m ago
> I'm actually more surprised that such compromise hasn't happened earlier.

This is like the 3rd or 4th time. It's been ongoing and persistent for the last 2 years with frequent AUR downtime as a result.

The AUR should be deprecated in its current state, simply can't be trusted and is a blemish on an otherwise great distro.

sph•1h ago
A quicker alternative:

  comm -1 -2 <(pacman -Qq | sort) <(curl -s https://gist.githubusercontent.com/quantenProjects/3f768dce7331618310f016d975bf8547/raw/beef579f8a8efeed6ccf60788e5b768775550095/packages | sort)
It's never a bad time to learn about comm(1).
lordleft•1h ago
This is especially gnarly as more people have been picking up arch distros as of late (like CachyOS).
scary-size•1h ago
Installed CachyOS to replace my Win 10 installation a month ago. Not looking back! But yeah this sucks, I've mostly used Ubuntu with apt in the past. Pacman and makepkg felt a bit weird to use in the beginning.
keyle•1h ago
More news is coming out about this:

https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised

I toyed with the idea that someone should write a binary that simply emails, or alert you when it's been run... as a canary... and call that `npm`.

At this point, not renaming the npm binary is a big risk.

nialv7•1h ago
third time this has happened:

https://news.ycombinator.com/item?id=17501379 https://news.ycombinator.com/item?id=44607740

sph•1h ago
Be aware of false positives! I found I had two of these packages installed, clang19 and compiler-rt19, but due to my recent laziness in updating my system, mine were still the versions from July 2025 from the official repos before they had relegated them to AUR.

You can check the build and install date with `pacman -Qi <package>`.

I run Arch Linux in a container (within Fedora Silverblue), but my plan for the future:

- consider switching away from Arch Linux for my dev container, with great sadness. A rolling distro is a terrible idea in the current security climate. I loved using Arch for my dev container exactly because of AUR.

- switch to Fedora Stable, perhaps the previous release which still gets security fixes but no other updates. I am still on Fedora 43, I guess I have no rush to update to 44. - be even lazier in updating my workstation. I used to update daily when I was running Arch, then I moved to weekly last year when I got stuck with slow internet, now consider updating monthly or more (of course, unless there are critical security bugs)

- Flatpak and Flathub terrify me, it's only a matter of time until malware appears. I have had automatic upgrades disabled for a while.

- for the love of God don't touch anything that uses npm

Previously: https://news.ycombinator.com/item?id=48458931

reedlaw•21m ago
I also had an affected package installed, fortunately it was from the official repo before it was dropped and became an AUR package.
doubled112•5m ago
> Flatpak and Flathub terrify me

I thought Flathub has a review and approval process. Does it fall short in some fundamental way?

Any review process is more than the AUR and NPM are doing.

Retr0id•1h ago
I haven't used Arch for a few years now, but when I did the AUR was my favourite aspect.

It was never perfect from a security PoV, but in 2026 this kind of trust model feels increasingly scary.

QuantumNoodle•1h ago
Man, I never hear good security things about npm
Retr0id•1h ago
This doesn't really have anything to do with npm.
vitamark•55m ago
anything except that it's malware installed via npm
notabotiswear•49m ago
From the Arch mailing list [0]

>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something

[0] https://lists.archlinux.org/archives/list/aur-general@lists....

Retr0id•33m ago
They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
notabotiswear•6m ago
Perhaps there were other vectors, but npm was the one used here.

And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.

virajk_31•1h ago
AUR doesn't guarantee security, its upto the user to use AUR & verify before installing anything, its very evident why arch is not used in enterprise solutions.
hootz•1h ago
Arch is not used in enterprise solutions because of the AUR? Can't you just not use it?
fooqux•1h ago
It's not the AUR. It's the rolling release cycle, and probably even more importantly, lack of support options.
datakan•8m ago
The AUR has absolutely nothing to do with the rolling release cycle
self_awareness•41m ago
How a person 'adopts' 408 packages and controls their build scripts?
Technetium•20m ago
They were orphaned, so anyone could adopt them. There are 15k other orphans at the moment.
secret-noun•40m ago
Here's a commit showing how they did it: https://aur.archlinux.org/cgit/aur.git/commit/?h=pass-cli&id...

Internet archive URL: https://web.archive.org/web/20260611213640/https://aur.archl...

spystath•34m ago
Obviously installing anything from AUR must be done cautiously and there have always been sketchy (as in improperly built/packaged) packages in the past but seeing actively malicious injections is concerning. I think there are two main problems with AUR: 1. it is a remnant of a slightly more egalitarian era in the open source history when you could generally trust 3rd party code and 2. orphaned packages can be adopted by anyone with their full history and vetting intact.

I think we are well past (1) but (2) could be mitigated by tighter controls on AUR accounts and potentially additional safeguards from AUR helpers. Maybe show a big scary warning if the package has changed owners recently. I know there will still be people that will "y" their way forward but it's better than nothing.

Or just avoid AUR helpers altogether and inspect/build the packages you need yourself from their PKGBUILDs directly.

jeremyjh•4m ago
There was never an era in which #2 was a reasonable policy.
xx_ns•11m ago
This campaign is still ongoing. I just got an email that one of my old packages (which hasn't worked for years and was orphaned for a while) was adopted and immediately a malicious commit was pushed. They seem to be using bun instead of npm now, so any npm-based workaround likely isn't effective.

https://aur.archlinux.org/cgit/aur.git/commit/?h=toggldeskto...

AI agent bankrupted their operator while trying to scan DN42

https://lantian.pub/en/article/fun/ai-agent-bankrupted-their-operator-scan-dn42lantian.lantian/
814•xiaoyu2006•7h ago•309 comments

If you are asking for human attention, demonstrate human effort

https://tombedor.dev/human-attention-and-human-effort/
931•jjfoooo4•13h ago•307 comments

Ryanair dark UX patterns summer 2026 refresher

https://blog.osull.com/2026/06/12/ryanair-dark-ux-patterns-summer-2026-refresher/
69•danosull•1h ago•45 comments

Nobody ever gets credit for fixing problems that never happened (2001) [pdf]

https://web.mit.edu/nelsonr/www/Repenning=Sterman_CMR_su01_.pdf
532•sam_bristow•11h ago•170 comments

Maxproof

https://arxiv.org/abs/2606.13473
12•ilreb•37m ago•0 comments

Show HN: Homebrew 6.0.0

https://brew.sh/2026/06/11/homebrew-6.0.0/
1293•mikemcquaid•23h ago•315 comments

AUR Packages Compromised with Infostealer and Rootkit

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577
86•keyle•6h ago•29 comments

The Future of Email

https://www.fastmail.com/blog/the-future-of-email/
67•soheilpro•1h ago•65 comments

How we made hit video game Prince of Persia

https://www.theguardian.com/culture/2026/jan/05/raiders-of-the-lost-ark-hit-video-game-prince-of-...
163•msephton•2d ago•61 comments

Kimi K2.7-Code: open-source coding model with better token efficiency

https://huggingface.co/moonshotai/Kimi-K2.7-Code
82•nekofneko•1h ago•21 comments

Show HN: FablePool – pool money behind a prompt, and Fable builds it in public

https://fablepool.com
426•matthewbarras•15h ago•235 comments

Vinyl succumbs to Loudness War: more than just collateral damage (2025)

https://magicvinyldigital.net/2025/04/27/vinyl-succumbs-to-loudness-war-more-than-just-collateral...
94•sneela•5d ago•136 comments

Claude Fable is relentlessly proactive

https://simonwillison.net/2026/Jun/11/fable-is-relentlessly-proactive/
530•lumpa•11h ago•420 comments

David Hockney, Who Restored the Human Form to Art, Dies at 88

https://www.nytimes.com/2026/06/12/arts/design/david-hockney-dead.html
32•SirLJ•1h ago•4 comments

Anthropic apologizes for invisible Claude Fable guardrails

https://www.theverge.com/ai-artificial-intelligence/948280/anthropic-claude-fable-invisible-disti...
447•rarisma•1d ago•396 comments

MiMo Code is now released and open-source

https://mimo.xiaomi.com/mimocode
515•apeters•22h ago•285 comments

Petition to Withdraw Canada's Bill C-22

https://www.ourcommons.ca/petitions/en/Petition/Sign/e-7416
450•hmokiguess•21h ago•147 comments

macOS 27 Beta breaks the ability to boot Asahi Linux

https://www.phoronix.com/news/macOS-27-Beta-Breaks-Asahi
338•josephcsible•2d ago•139 comments

Making a vintage LLM from scratch

https://crlf.link/log/entries/260525-1/
42•croqaz•1d ago•11 comments

Claude Fable 5: mid-tier results on coding tasks

https://www.endorlabs.com/learn/claude-fable-5-mythos-grade-hype
344•bugvader•20h ago•181 comments

Ear Training Practice

https://tonedear.com/
259•mattbit•3d ago•105 comments

Software is made between commits

https://zed.dev/blog/introducing-deltadb
275•jeremy_k•20h ago•199 comments

Removing 'um' from a recording is harder than it sounds

https://doug.sh/posts/erm-a-local-cli-that-strips-ums-uhs-and-erms-from-speech/
110•dougcalobrisi•11h ago•47 comments

Emacs appearances in pop culture

https://ianyepan.github.io/posts/emacs-in-pop-culture/
342•ggcr•2d ago•99 comments

Reading for pleasure is sharply down among schoolkids, report shows

https://www.nbcnews.com/data-graphics/kids-reading-less-lower-levels-department-education-study-r...
185•freejoe76•1d ago•235 comments

Lines of code got a better publicist

https://curlewis.co.nz/posts/lines-of-code-got-a-better-publicist/
401•RyeCombinator•1d ago•284 comments

Developer gets Half-Life running at 30 FPS on a Nokia N95

https://www.tomshardware.com/video-games/handheld-gaming/developer-gets-half-life-running-at-30-f...
304•ljf•3d ago•103 comments

The RCE that AMD wouldn't fix

https://mrbruh.com/amd2/
285•MrBruh•20h ago•119 comments

Report on an Unidentified Space Station

https://sseh.uchicago.edu/doc/roauss.htm
78•paulmooreparks•5h ago•44 comments

How Terry Tao became an evangelist for AI in math

https://www.quantamagazine.org/how-terry-tao-became-an-evangelist-for-ai-in-math-20260608/
140•Tomte•3d ago•125 comments