On Friday, June 12th, 2026 at 8:31 PM, archlinux.slogan162@passmail.net <archlinux.slogan162@passmail.net> wrote:

Looking at the attack leveraging a small amount of accounts which are adopting a lot of packages within a very short amount of time, I wonder if a less nuclear solution may be to ratelimit/flag accounts that do so. That way, the bottleneck becomes the speed at which the attacker gains access to AUR accounts or creates them. The regular Captcha protection may be leveraged here.

I apologize if a similar suggestion was already made.

I definitely agree that some risk modelling can alleviate these mass attacks, however, setting up and tuning parameters, then testing that it actually does have preventative power, takes time. In my opinion, the direction we should take is freeze now, identify current threats (we now have multiple variants using other JavaScript package managers), then enact this new model when it's ready, as well as other mitigations, since that alone won't be enough.