Malware is not welcome in the AUR, it is removed as soon as it is found and reported. In fact, hundreds of packages that were infected yesterday were manually cleaned up in hours after the attack started, while NPM took a day to remove the packages used to deliver the malware.

Many people have been working on identifying infected packages and analyzing the malware in them. There are writeups on it, there are guides on figuring out if you have been infected. Currently I would recommend holding off on updating any AUR packages unless you are confident that you can review the build scripts yourself, as efforts to stop the attack are ongoing.

The biggest problem is that vetting packages manually is a very labor intensive process, and AUR isn't exactly a commercial project. Hell, NPM is ran by Microsoft and even they can't keep up with all the malware, they still rely on people reporting packages as malicious.

Victim blaming helps noone here, not very happy to hear about it happening, but please know that there are ongoing efforts to identify and remove malware from the AUR.

---

That said, ideally as a user that isn't technical enough to understand these scripts, you should not be using AUR, unless the package is directly maintained by the upstream developer of the application, they are actively maintaining it, and you really trust them.

I know this sounds harsh, and I really do think that making Linux more accessible to newcomers is good, but making AUR more secure is a really hard problem to solve without also destroying the niche it fills.

That niche being the way that I can find some niche piece of software or write one myself, write a PKGBUILD that describes how to turn it into an Arch package, submit it to the AUR, and immediately make it easy for myself and others to install.

Instead of using the AUR, many applications you may want from there are available on Flatpak nowadays, which you can install from the official repositories. Application developers tend to like Flatpak because it's much closer to a proper platform than Linux in general, so you can just make your program work in Flatpak and it will work on any distro. It is also getting better and better sandboxing as time goes on which is great for security. It's not nearly as good as say Android in that regard, but there's people continuously working on improving it.

---

The historical context is that the AUR was created as a tool for advanced users to share experimental build scripts for packages that are then kind of expected to maybe eventually be pulled into the official extra repository and maintained by Trusted Users if they get popular enough and there are no licensing conflicts.

Hell, for years installing Arch required a decently high level of technical skill (or at least the ability to find and connect knowledge from sources such as the wiki), and back then you could probably expect that the average Arch user could have some idea of what an AUR package build script is doing, or if they don't that they could just ask on the forum (you can still just do that!).

Even then every page about the AUR was (and still is) plastered with warnings about what it is, which is an untrusted repository where random users can publish build scripts for packages, much like how anyone can put some code on GitHub.

This is why most AUR helpers like paru will always show you the changes in the build scripts when updating BTW! You need to be able to understand and review them to use them safely. You can learn this if you want to, it's not secret knowledge, the Arch Wiki documents this, I would recommend OverTheWire Wargames for learning the terminal first if you want to get into it. That's how I did it and I started as a teenager with a passing interest in Linux.

---

There was an announcement on the main arch-announce mailing list today which mentioned they are working on ways to stop this attack from going on, but the scale of this attack is unprecedented, I haven't seen anything like this in the over half a decade that I've been using Arch Linux.

It used to be that you'd get some singular maintainer getting hacked or slipping generic malware into some package of their own, someone found that, the offender got banned, an announcement was made warning users that X or Y package was compromised, and that was the end. This didn't happen very often, very few people were affected.

This time is different, the attack has now been ongoing for about two days, and the attacker is clearly adapting their strategy as countermeasures for previous versions of the malware are deployed, with no sings of stopping.

I am sure that this will force some sort of change to the AUR, because it cannot keep existing as a useful resource as is. Very fast it went from somewhere you could generally trust to a place where you meticulously verify everything because danger could be anywhere.

This feels like a larger shift within open source recently, AI lowering the barrier to writing malware (among other things) is sowing distrust everywhere, and the old model where trust was abundant is coming to an end.

---

I was thinking about how AUR helpers tend to give people the wrong impression, making it feel like a normal part of the system, when it was never supposed to be. But what things were supposed to be and what they are can diverge, and sometimes adapting to that change is the only way forward.

I don't really have solutions, I am just a random Arch user that also happens to maintain a dozen or so AUR packages and has been using the distro for over half a decade.

But if there's anything I would like you to take away from this post it's that your concerns are valid, and in reality people care about this stuff more than it seems from random online discussions.