On Friday, July 18th, 2025, the Arch Linux team was notified that three AUR packages had been uploaded that contained malware. A few maintainers including myself took care of deleting these packages, removing all traces of the malicious code, and protecting against future malicious uploads.
My fellow maintainer Quentin Michaud already did a nice write-up about how the malware worked, so I won’t go into detail too much about that. If you want to know more about that, read his blog. Instead, I’d like to do a crash course on how these packaging scripts work, and how you would review them yourself.
What is the AUR ?
The Arch User Repository is a collection of packaging scripts, PKGBUILD files, created by users. Anyone who creates an account on aur.archlinux.org, can upload an Arch Linux packaging script, granted one doesn’t already exist for the same name. There are of course some rules around what you can submit (e.g. don’t duplicate other official or AUR packages) but generally anything goes.
Each package has one primary maintainer, by default whoever uploaded the packaging script first, but that can change over time, either by that maintainer transferring responsibility themselves, or by moderators removing the maintainer for various reasons. This is not a democracy, or even a meritocracy, but it works, and there is a lot of useful software on there.
Installing from AUR packaging scripts is not quite as simple as installing from the main packaging repos. You can run makepkg on a PKGBUILD and install the resulting package, but this gets more difficult as those PKGBUILD s often depend on other packages only found in the AUR . To make this easier, people often use AUR -helpers, which provide a pacman -like experience to manage them. That does come with some drawbacks, however.
Anyone who wants to do so can upload their PKGBUILD to the AUR . That is great to lower the barrier to entry, and it is how I got my start contributing to Arch Linux. Unfortunately, not everyone has the best intentions, and it has happened that people upload malware. Because of this, it is crucial that you vet the PKGBUILD s that you install.
What do PKGBUILD s look like?
As mentioned before, the AUR does not contain packages, but rather contains build scripts to create packages. Arch Linux PKGBUILD s are simply bash scripts that follow a certain pattern. Take for example the following example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 # Maintainer: John Doe
... continue reading