Malicious AUR Checkup Script

swh · June 13, 2026, 10:51am

Running this script mentioned by @1093i3511 in another thread


╰─❯  ./aur_check.sh --full
============================================================
 AUR Malware Check v2.2.0
 Campaign: atomic-lockfile / js-digest infostealer + eBPF rootkit
 Date window: 2026-06-09 to 2026-06-12
 Packages checked: 512
============================================================

--- [1] Currently installed foreign packages ---
  Clean: no infected packages installed within campaign window.

--- [2] Historical pacman logs ---
  Clean: no historical log matches found.

--- [3] Systemd persistence check ---
  Clean: no suspicious systemd services found.

--- [4] eBPF rootkit check ---
  Clean: no eBPF rootkit traces detected.

--- [5] npm cache check ---
  Clean: no malicious packages in npm cache.

--- [6] bun cache check ---
  Clean: no malicious packages in bun cache.

============================================================
 RESULT: CLEAN - No indicators found.
============================================================

As far as I can tell with my limited knowledge, things are looking good here

1093i3511 · June 13, 2026, 11:07am

If you’ve cloned into the repo, you can replace the outdated package_list.txt (512 packages affected) manually with the extended one https://md.archlinux.org/s/SxbqukK6IA that includes a total of 1578 packages. Guess the repo simply hasn’t been updated yet but I assume that it will be updated.

Nice part is that this script combines several approaches of the various scripts that are currently passed around within the Arch community. Not necessarily the ones originating from CachyOS or Manjaro. But it should do the trick anyway.

Those who are sceptical, here is the link to original conversation / news channel of the Arch Linux discord.

swh · June 13, 2026, 11:45am

Nice. Replaced package list. 1621 packages checked

╰─❯  ./aur_check.sh --full
============================================================
 AUR Malware Check v2.2.0
 Campaign: atomic-lockfile / js-digest infostealer + eBPF rootkit
 Date window: 2026-06-09 to 2026-06-12
 Packages checked: 1621
============================================================

--- [1] Currently installed foreign packages ---
  Clean: no infected packages installed within campaign window.

--- [2] Historical pacman logs ---
  Clean: no historical log matches found.

--- [3] Systemd persistence check ---
  Clean: no suspicious systemd services found.

--- [4] eBPF rootkit check ---
  Clean: no eBPF rootkit traces detected.

--- [5] npm cache check ---
  Clean: no malicious packages in npm cache.

--- [6] bun cache check ---
  Clean: no malicious packages in bun cache.

============================================================
 RESULT: CLEAN - No indicators found.

jcd · June 13, 2026, 12:44pm

You can’t walk out? ^^

cactux · June 13, 2026, 12:46pm

Look around you, can anybody?

Mike09 · June 13, 2026, 12:47pm

cactux · June 13, 2026, 12:50pm

Exactly! I think I got the same look when I wrote that

Hyrules · June 13, 2026, 1:23pm

============================================================
 AUR Malware Check v2.2.0
 Campaign: atomic-lockfile / js-digest infostealer + eBPF rootkit
 Date window: 2026-06-09 to 2026-06-12
 Packages checked: 1621
============================================================

--- [1] Currently installed foreign packages ---
  Clean: no infected packages installed within campaign window.

--- [2] Historical pacman logs ---
  Clean: no historical log matches found.

--- [3] Systemd persistence check ---
  Clean: no suspicious systemd services found.

--- [4] eBPF rootkit check ---
  Clean: no eBPF rootkit traces detected.

--- [5] npm cache check ---
  Clean: no malicious packages in npm cache.

--- [6] bun cache check ---
  Clean: no malicious packages in bun cache.

============================================================
 RESULT: CLEAN - No indicators found.
============================================================

I’m safe as well. I just added to packman.conf the ignore for the recommended npm node etc…

CarlLaFong · June 13, 2026, 1:48pm

After running the script from @UncleSpellbinder first post, it appears that all is OK here as well, but it’s frustrating that I’m forced to update my NVIDIA drivers from the AUR.

I don’t know enough to know what I’m seeing from package builds unfortunately but don’t have any other packages from AUR at this time, so I hope those that know way more than I do are monitoring the integrity of those NVIDIA drivers for the community.

Cla59 · June 13, 2026, 1:48pm

I was on vacation for two days, and all sorts of things happen! Anyway, it’s best to wait a few days before updating the AUR!

AceFour · June 13, 2026, 3:08pm

well I saw one AUR package but apparently had not updated. Did a massive clean up of AUR to 9 packages installed now. All these package manager corruption attacks had me pinning versions at work for NPM. I feel this is just going to continue until all we are left is grey goo

dirn · June 13, 2026, 8:04pm

Looks clean from my end

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash 

Checking for infected AUR packages (1620 total)...

Clean: None of the known infected packages were installed within 2 days of the campaign.

straycat · June 13, 2026, 11:09pm

Looks like I’m good

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (1937 total)...

Clean: None of the known infected packages were installed within 2 days of the campaigns.

thefrog · June 14, 2026, 12:06am

Of course I haven’t updated or installed anything this week. My next update is scheduled tomorrow I will have to modify my update script to remove paru and just use pacman for this week. Hopefully they get it stopped and cleaned in this next coming week

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (1937 total)...

Clean: None of the known infected packages were installed within 2 days of the campaigns.

JKMooney · June 14, 2026, 12:13am

Would be really brazen of these malware guys to publish a GUI “AUR Malware Detection Tool” on the AUR…that, of course, installs malware…

koudy · June 14, 2026, 12:31am

I was getting worried since i did run update recently (just can’t remember when exactly). Finding out date when all this happened in the sense of when was the malicious code propagated to AUR for users to download is harder than it seems but i concluded it was 12th June 2026.

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (1937 total)...

Clean: None of the known infected packages were installed within 2 days of the campaigns.

Topken · June 14, 2026, 12:41am

I only updated a single app from the aur in the past few days and it wasn’t infected

Checking for infected AUR packages (1937 total)…

Clean: None of the known infected packages were installed within 2 days of the campaigns.

cc_spicuous_2 · June 14, 2026, 1:24am

edconv-bin is flagged.

sammiev · June 14, 2026, 1:38am

I put Arch linux to bed for the coming week, only use like maybe 5 aur packages.

This week fedora and debian sid will get a little loving.

sradjoker · June 14, 2026, 11:52am

Number is rising every hour