The Arch User Repository (AUR) is a collection of user-created and submitted packages that are available to Arch and its many derivatives. Many could have predicted the AUR would fall victim to abuse – in fact, it has happened before, just not to this extreme. To make matters worse, this latest attack happened just after over 1,500 affected packages were found.

“We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed," reports Campbell Jones in official Arch Linux News. "While this is happening, and while we work to create a more permanent solution, users may see issues with the following: Creating new accounts on the AUR, pushing package updates, adopting or creating new packages."

Jones continues, "We continue to encourage all users of AUR packages to review all PKGBUILD and install script changes when updating, especially during this time. If you notice suspicious commits to a package that you use, please reach out to Arch staff via the aur-general mailing list with more information."

Phoronix reports that this latest round is much more sophisticated than the previous, with the ability to hide its intent using code obfuscation.

The newest round of malicious packages was initially reported by Nicolas Boichat, where he points to this diff and refers to a post from Jonathan Grotelüschen, who states, "... we’re working hard to reset/delete all malicious commits and ban the accounts." Grotelüschen follows up with, "If you find more malicious packages, please **send them as a reply to this email** to keep them all in one thread."

Is it time for Arch to rethink the AUR? I believe it is.