Supply Chain Security Attacks Hit the AUR
The Arch User Repository faced a wave of attacks, documented in a post titled 'AURpocalypse now.' The thread covers how the AUR's open-contribution model, which is its core strength, is also what makes it a soft target. The latest version of yay (v13+) now supports skipping recently added packages via a Lua extension system as a partial mitigation.
This is part of a broader and accelerating pattern of supply chain attacks on open package ecosystems. The npm-scan project, also surfaced today, addresses exactly this problem for the npm ecosystem. The attack surface is the same everywhere: open contribution, minimal pre-publish review, and developers who install packages reflexively.
The HN comments note that OpenSuse's Packman has similar structural vulnerabilities, suggesting this is not an Arch-specific problem but a fundamental tension in community-maintained package repositories.
So what?
If your build pipeline pulls from AUR, npm, or similar community repositories, you need explicit policies around how new or recently updated packages get approved. Pinning versions is not enough if the pinned version was already compromised before you pinned it. Audit your dependency tree now, not after an incident.