June 12, 2026
Pacman Panic Mode
AUR Packages Compromised with Infostealer and Rootkit
Arch users are panic-checking their PCs as commenters swing from jokes to total distrust
TLDR: More than 408 Arch community packages were reportedly poisoned with malware, and security advice now ranges from scanning your system to reinstalling entirely if you were exposed. Commenters are split between practical help, gallows humor, and outrage that this kind of trust-breaking package attack keeps happening again.
Arch Linux fans are having a very bad week after news broke that more than 408 community-made software packages were allegedly taken over by a new maintainer and quietly stuffed with malware. In plain English: people downloading handy add-ons may also have downloaded a thief that steals data — and, even worse, something that can hide deep inside a computer. That last part is why the mood in the comments is less “oops” and more burn it down and start over.
The community reaction is the real spectacle. One camp instantly went into emergency-helper mode, sharing scanner scripts and repeating the sacred commandment: “Never pipe a script directly to bash.” Another camp was sounding the alarm that this is “especially gnarly” because Arch-based systems like CachyOS are getting more popular, meaning this mess could hit a wider crowd than usual. Then came the fatalists: one commenter bluntly noted this is the third time something like this has happened, which turned the thread into a referendum on trust in user-submitted package hubs.
There was also dark humor, because of course there was. One commenter joked that someone should make a fake npm program that simply emails you whenever it gets run — basically a canary for “why is this installer touching JavaScript tools at all?” Others urged caution about false positives, warning that not every matching package means you were actually hit. The vibe is a cocktail of panic, nerdy detective work, and that classic internet feeling: how was this allowed to happen again?
Key Points
- •A reported AUR compromise involved a new maintainer account, "arojas," allegedly adopting and infecting more than 408 packages.
- •The modified packages reportedly added preinstall scripts that used npm to install the malicious package atomic-lockfile.
- •The article says Arch Linux users should review the affected package list and use the referenced aur_check.sh script to check exposure.
- •Readers are directed to the Ioctl blog for indicators of compromise and advised to preserve affected systems for forensic investigation.
- •The article states that the attack is notable for combining infostealer behavior with a possible eBPF rootkit, despite many affected packages being relatively rare.