Some AUR packages were uploaded containing malware (2025-07-18 & 2026-06-11)

:warning: Several Many packages have just been added or updated with malicious install files. Watch out for new Maintainers updating old orphaned packages adding npm as a dependency and adding an install file. See the workbench commit below (should be reverted soon, I just reported it).

A few examples from the last 24 hours:

  • yay4 (deleted)
  • minitube (commit reverted)
  • gnome-randr-rust (commit reverted)
  • workbench (commit)

EDIT: More are being reported, see the recent aur-general mailing list posts.

EDIT 2: New Arch forum topic:

The Moderation team is aware and a few of the moderators are already cleaning things up!

11 Likes