The Arch Linux project has suspended registration of new accounts in the repository AUR (Arch User Repository) due to ongoing malware substitution activity code in packages and vandalism. This decision comes after Arch Linux developers attempted to protect against the issue with selective filters, but attackers managed to circumvent them by substituting npm with bun and obfuscating the call to their code in the post_install function. The registration process will be reinstated once more effective security measures are put in place.
To perform their attack, the perpetrators exploited the option available in the AUR to adopt orphaned packages, which were left unattended. This feature was accessible to anyone without any restrictions or verifications. Currently, there are 107,406 packages hosted in the AUR, with 13,050 designated as “orphaned” (a week ago there were 15,261). Last week saw 5,578 package updates in the repository, compared to 3,446 updates in the preceding week. The AUR has a total of 141,967 registered users and 69 package maintainers (previously, there were 140,949 users and 69 maintainers).