Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack

Written by Michael Larabel in Arch Linux on 14 June 2026 at 06:32 AM EDT. 27 Comments

Just a day after Arch Linux developers believed they got their malware AUR incident under control with 1,500+ packages affected by malware, another round of of AUR malware is now being discovered. This latest round is more sophisticated as with code obfuscation to better conceal the intent.

Last night another round of malware in Arch Linux AUR packages was reported by developer a821. Various Node.js packages, a Plasma 6 applets package, some Firefox packages, the Aura browser, LibreWolf extensions, a NeoVim plug-in, and various other packages were all found with malware via obfuscated code. Shortly thereafter a821 reported back that the affected packages were taken care of.

Hours later, Nicolas Boichat reported more malware in AUR packages. Boichat discovered those latest malware bits using a local Gemma E2B AI model. The new malware attempt in AUR was described as "a bit more elaborate" in obfuscating the action around the Bun command.

At this stage it's a bit surprising they don't completely shutdown AUR until they can better verify the security and safety of this user-supplied repository or at least implement new safeguards on changes.