A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning.

Archive Window: 7 Days Left

not specified

Who

Arch Linux team, attackers

What

A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning.

When

Mon, 15 Jun 2026 13:30:00 GMT · 4h 35m ago

Where

not specified ·

Why

Attackers swamped the Arch User Repository with poisoned package updates, compromising over 1,500 user-submitted packages.

The Frontline Impact

How this affects you

The incident has led to the Arch Linux team disabling new account registrations for its community-run package repository and could affect users trying to open new accounts or update packages. This highlights the risks associated with open, community-driven software models like the AUR, where users are expected to inspect package build files themselves.

Story chain

3 events in this thread

Currently Reading4h 35m ago
A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning.
Technology4h 35m ago
The Arch Linux team disabled new account registration on the Arch User Repository (AUR) after a wave of malicious commits compromised over 1,500 user-submitted packages.
Open article
Technology4h 35m ago
The Arch Linux team disabled new account registration on Monday morning for the Arch User Repository (AUR) after a wave of malicious commits.
Open article

Verified Sources & Citations

The Register
https://www.theregister.com/security/2026/06/15/arch-linux-locks-down-aur-signups-amid-wave-of-malicious-commits/5255511
HIGH