Malicious AUR Checkup Script

From CachyOS Moderator cscs


TL;DR

  • Here’s what I got…
─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (480 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯
curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash 
 
Checking for infected AUR packages (480 total)... 
 
Clean: None of the known infected packages were installed within 48 hours of the campaign.

I’m clean, too. So why do I feel like I need another shower? :hot_face:

I checked the script before running it - in the script I saw package names which could perhaps be installed on my homeserver (it’s running debian). Checked there as well, but I suppose that was rather pointless, as the debian repositories are unlikely to be infected?

These packages are build from “infected” PKGBUILDS in AUR.

Debian doesn’t use this mechanism to build packages.

Only if you have used any of these PKGBUILDs to build and install any of these packages then you have to take measures.

Well, since the malicious code is inserted via npm, all things using npm packages could be infected, right? We’re only looking at the AUR, but what about other software sources?

Unless you build Linux From Scratch and audit each and every line of code for each and every package you will be installing, there is no 100% guaranty that there is no single line of code running in your system which doesn’t behave “non-benevolently”.

Perhaps not even then. You may need non-open, non-free proprietary software to make your hardware work.

To me, it all boils down to management of insecurity and untrust, lulling me into the belief that everything might be fine. :sweat_smile:

But don’t take what I say at face value. I am by nature of “Suspicious Minds”.

Tip to avoid malware from AUR: add node package managers to your IgnorePkg from the arch-general mailing list:

3 Likes

Thanks, @UncleSpellbinder !

Looks like I’m not infected …

$ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (494 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.

I don’t know if I should feel better now … :thinking:

I don’t think after this anyone could feel good anymore. Not after this.
Those days are gone! :rofl:

I feel the same. At least I know I’m not infected! :rofl:

[christopher67@EndeavourOS ~]$ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (494 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.

─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash


Checking for infected AUR packages (1588 total)...

Clean: None of the known infected packages were installed within 2 days of the campaign.
─❯

Last time I ran this, it was at 480. Now it’s at 1588. :open_mouth:

Because you’re caught in a trap? ^^

1 Like

Let’s say I have wasted too much time in my life separating bull from the shit. Or was it wheat from the chaff? :sweat_smile:

I beat you, new record for me :sweat_smile:

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (1621 total)...

Clean: None of the known infected packages were installed within 2 days of the campaign.

─❯  curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash


Checking for infected AUR packages (1621 total)...

Clean: None of the known infected packages were installed within 2 days of the campaign.