─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (480 total)...
Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯
curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (480 total)...
Clean: None of the known infected packages were installed within 48 hours of the campaign.
I checked the script before running it - in the script I saw package names which could perhaps be installed on my homeserver (it’s running debian). Checked there as well, but I suppose that was rather pointless, as the debian repositories are unlikely to be infected?
Well, since the malicious code is inserted via npm, all things using npm packages could be infected, right? We’re only looking at the AUR, but what about other software sources?
Unless you build Linux From Scratch and audit each and every line of code for each and every package you will be installing, there is no 100% guaranty that there is no single line of code running in your system which doesn’t behave “non-benevolently”.
Perhaps not even then. You may need non-open, non-free proprietary software to make your hardware work.
To me, it all boils down to management of insecurity and untrust, lulling me into the belief that everything might be fine.
But don’t take what I say at face value. I am by nature of “Suspicious Minds”.
$ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (494 total)...
Clean: None of the known infected packages were installed within 48 hours of the campaign.
[christopher67@EndeavourOS ~]$ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (494 total)...
Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (1588 total)...
Clean: None of the known infected packages were installed within 2 days of the campaign.
─❯
Last time I ran this, it was at 480. Now it’s at 1588.
curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (1621 total)...
Clean: None of the known infected packages were installed within 2 days of the campaign.
─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (1621 total)...
Clean: None of the known infected packages were installed within 2 days of the campaign.