The Arch Linux team disabled new account registration on the Arch User Repository (AUR) after a wave of malicious commits compromised over 1,500 user-submitted packages.

Archive Window: 7 Days Left

global (community-run online repository)

Who

Arch Linux team, attackers

What

The Arch Linux team disabled new account registration on the Arch User Repository (AUR) after a wave of malicious commits compromised over 1,500 user-submitted packages.

When

Mon, 15 Jun 2026 13:30:00 GMT · 3h 15m ago

Where

global (community-run online repository) ·

Why

Attackers swamped the AUR with poisoned package updates, attempting to pull in hostile JavaScript dependencies.

The Frontline Impact

How this affects you

New account creation for the Arch User Repository is currently disabled, and users might face issues with pushing updates or creating packages. This incident highlights the security risks in the open, community-driven model of the AUR.

Story chain

3 events in this thread

Technology3h 15m ago
A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning.
Open article
Currently Reading3h 15m ago
The Arch Linux team disabled new account registration on the Arch User Repository (AUR) after a wave of malicious commits compromised over 1,500 user-submitted packages.
Technology3h 15m ago
The Arch Linux team disabled new account registration on Monday morning for the Arch User Repository (AUR) after a wave of malicious commits.
Open article

Verified Sources & Citations

The Register
https://www.theregister.com/security/2026/06/15/arch-linux-locks-down-aur-signups-amid-wave-of-malicious-commits/5255511
HIGH