more than 1,500 packages in the arch user repository — a community software source for the arch linux operating system — were hijacked and injected with credential-stealing code and optional rootkits, delivered in obfuscated follow-on waves before maintainers purged them. a coordinated poisoning at that scale of a trusted package repository is a supply-chain attack reaching every machine that pulls the affected software, not a single-target breach.