Malicious Aur Packages Jun 2026

Waylon Walker Author

Jun 16, 2026 1 min read

Recent Arch linux vulnerabilities are a good reminder of a few things.

AUR is not the official package repo
The AUR is community driven
AUR packages are not always safe

The first thing I’m doing to stop myself from running any aur updates automatically is removing any arch helper.

sudo pacman -Rns yay paru paru-bin

Currently the reported vulnerabilities are supply chain attacks limited to the aur, keep your arch system up do date, BUT do not update packages from the AUR right now. In fact I’m auditing my aur usage and removing anything I have not used in awhile.

Here is a nice script I’m using to walk through my packages and get rid of things I installed and probably don’t need anymore.

pacman -Qemq |
  fzf -m --preview '
    echo "== package =="
    pacman -Qi {} 2>/dev/null
    echo
    echo "== required by =="
    pacman -Qi {} 2>/dev/null | grep "Required By"
  ' |
  xargs -r -o sudo pacman -Rns

Supply chain attacks are getting real scary in 2026, maybe we should listen to Ginger Bill a bit closer.

Latest Thoughts #

Dumb people lay off - YouTube

www.youtube.com

oof Mark, this does not feel like it is set to age well. These people in power feel so disconnected from regular people with a job trying to do work.

The Website Specification

specification.website

The Website Specification A platform-agnostic, full specification of the technical features a good website should have. Built in the open under an MIT licence. The Website Specification · specification.website [1]

A solid checklist for agents to implement on most sites. Very few sites need 100% coverage, but most should probably check most of these boxes

References: [1]: https://specification.website/

Revisiting the closed canon

derekkedziora.com

Revisiting the closed canon A post I wrote in 2023, the closing of the canon, predicted that LLM answers would replace search results, dramatically lowering traffic to individual sites, thereby removing the incentives to eve... Derek Kedziora · derekkedziora.com [1]

This is what makes rss so interesting to me. Its boring old tech that fell out of mainstream popularity years ago, yet many sites still support it. Not all, especially ones that come with a good dickover.

At the same time, it’s sad to see the human internet dying, even more quickly than before. Not only do we have rampant bots and sites seo maxxing to get to the top. We have ai search overview that answers mose simple questions pretty good, chat that does good, and agents at our fingertips. The need for tutorials is pretty much dead.

What we need now is human experiences shared and documented more than ever. I’ve been writing a whole lot less simply because this transition has been hard. Most of my pre 2024 posts were how to, notes for future me. Things so simple agents just spat out better versions in seconds these days with barely a question.

References: [1]: https://derekkedziora.com/notes/revisiting-the…

On Rendering Diffs :: Pierre Computer Company

pierre.computer

On Rendering Diffs A technical deep dive into how we built the @pierre/diffs package and CodeView component for zero-blanking diff rendering. Pierre Computer Company · pierre.computer [1]

It’s incredible how some problems seem so simple until you load the browser with so much text it just bogs to nothing and how impossibly difficult it becomes after this point. Very cool implementation of a problem that…. who has this problem. If it takes me 2 mintues to scroll through a diff at mach speed like the video, is a diff going to solve my problem?

References: [1]: https://pierre.computer/writing/on-rendering-diffs

His presence is still felt in the codebase to this day 😂 #codi...

www.youtube.com

Remember this clip in 5 years, after the churn we just had with RTO and ai this is going to hit. Or AI will just figure is all out for us, who knows anymore. Not that they will figure out the human side, the what does this do, why is it here. A temporary fix is a clear signal to your other devs I didn’t have enough time to do it right, but this works. I think AI will squash a large number of these, especially in big coorporate internal tooling where you are trying to juggle as much as you can and just keep it a float at all times.

Recent Pings #

There is no such thing as magic #

Magic exists to describe things that are beyond our current understanding. When you describe your solution to a problem as magic, you are admitting that you have no idea how you fixed it.

Mythos gone already #

Mythos released days ago, now its gone, before most of us were allowed to touch it.

just good enough #

I built shit on the web before AI, some of it was okay, some I put a lot of time into, but some was just really shitty. Done just well enough to get the job done. All of it had to be written by hand or copy pasted from stack overflow. It was a lot of fun. Now we have a new level of shitty, it looks fine. It looks like it should work good. None of it is just barely good enough, nearly browser default style anymore.

Flowing Thoughts Ai To Help Blast Radius #

Not sure how this matters to anyone else, but I'm sitting in the car and letting the thoughts flow.

I'm having really interesting conversations with ai recently. Like things I never thought I would care this deeply about. In part because it feels like the vulns are coming faster and harder, and in part because it is really enabling me to invest some time into the development that I would not otherwise have. I'm thinking about least privilege, reducing dependencies in containers, limiting pod access to the Internet and other pods. Reducing the blast radius.

Now I've always been hesitant to bring in new dependencies. I've always tried to strip to the lowest possible dependency set n my containers, but I would also re-use the main server container to run cron job workflows. I wasn't giving much thought about what services they could access, or their internet access

Ping 59 #

"All you have to be is good"

source

Not sure if this is a quote from somewhere but thought it was some interesting advice that @thorstenball received when he was starting into web development. He asked a friend already in the industry if he thought he had a shot. He had no degree, no credentials, no experience at the time.

`j`	Scroll down
`k`	Scroll up
`g` `g`	Scroll to top
`Shift` `G`	Scroll to bottom
`d`	Half-page down
`u`	Half-page up

`j` / `↓`	Next post (in feeds)
`k` / `↑`	Previous post (in feeds)
`Enter` / `o`	Open highlighted post
`Shift` `O`	Open in new tab
`g` `h`	Go to home
`g` `s`	Focus search
`[`	Previous page
`]`	Next page
`b`	Toggle left sidebar
`Shift` `B`	Toggle right sidebar
`s`	Toggle simple/rich feed view

`/`	Focus search input
`⌘CtrlK`	Focus search (alternative)
`y` `y`	Copy URL to clipboard
`?`	Show this help
`Esc`	Close / clear highlight

Share this post