ALVR package compromised with malware in Arch User Repository

📰 Related articles

In-depth multi-perspective briefings we've written on this story.

A massive number of malicious packages have been discovered in Arch's package ecosystem.
The Arch User Repository has been compromised, threatening Arch Linux and derivative distributions.
A recent ALVR update from the Arch Linux AUR may have introduced a breaking change affecting VR functionality.
AUR security incidents are inevitable given untrusted packages; users must audit PKGBUILDs themselves.
Phoronix reports major AUR security incident affecting 1500+ packages.
Discussion of how orphaned packages in AUR can be adopted by any community member, highlighting the open-access nature of the system.

Peak 1 mentions/hour · 7 hourly buckets

Every thread this story was extracted from, with live and archive links so the evidence is verifiable.

/g/109040408 ↗ live · archive mocking breaking 249 replies A massive number of malicious packages have been discovered in Arch's package ecosystem.
/g/109064091 ↗ live · archive defensive evergreen 31 replies AUR security incidents are inevitable given untrusted packages; users must audit PKGBUILDs themselves.
/g/109065714 ↗ live · archive neutral evergreen 10 replies Discussion of how orphaned packages in AUR can be adopted by any community member, highlighting the open-access nature of the system.
/g/109031268 ↗ live · archive alarmed breaking 232 replies A malware-infected version of the ALVR VR streaming package was discovered in the AUR community repository.
/g/109045643 ↗ live · archive alarmed breaking 41 replies A recent ALVR update from the Arch Linux AUR may have introduced a breaking change affecting VR functionality.
/g/109051778 ↗ live · archive alarmed breaking 1 replies Phoronix reports major AUR security incident affecting 1500+ packages.
/g/109040725 ↗ live · archive alarmed breaking 45 replies The Arch User Repository has been compromised, threatening Arch Linux and derivative distributions.