aur_check.sh (OUTDATED, check https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14)

aur_check.sh

#!/usr/bin/env bash

# OUTDATED. YOU MAY WANT TO USE A CHECK THAT PULLS FROM AN AUTHORITATIVE LIST OF INFECTED PACKAGES
# CHECK https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

# AUR atomic-lockfile malware check @ June 11 2026
# Sources:
#   https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/
#   https://gr.ht/aur_pkg_list.txt

INFECTED_PKGS=(
    123pan-bin
    1code
    8192eu-dkms-git
    actual-ai
    adblock2privoxy
    aion-git
    albion-online-launcher-bin
    alienfx
    alvr
    android-signapk
    android-signapk-gui
    annobin
    ansible-language-server
    antfs-cli-git
    anythingllm-appimage
    anythingllm-cli-bin
    apk-installer-gui
    apm_planner-bin
    apothem
    apple-music-desktop
    arch-update-vai
    archjh
    archlinux-themes-slim
    archmage
    archtex-git
    artanis-git
    astro-editor-appimage
    autohand-cli
    autolabel
    autologin
    azurlaneautoscript
    bcachefs-kernel-dkms-git
    beebeep
    bitcoin-core-git
    blinkenlib
    blueproximity-py3-git
    booklore
    brow6el
    brow6el-git
    canon-pixma-mg3000-complete-fixed
    cartridge-cli
    ccase-bin
    ccl-git
    cgminer
    charcoal
    cinny-desktop-system-tray
    clai
    clang19
    clash-mi
    cling-git
    cmuclmtk
    cnijfilter-common
    codenomad-bin
    codeql-cli-bin
    cogpit-bin
    colorhug-client
    colorz
    compiler-rt19
    compizconfig-python
    coolreader
    cowdancer
    cutefish-calculator
    cutefish-core
    cutefish-dock
    cutefish-filemanager
    cutefish-icons
    cutefish-launcher
    cutefish-qt-plugins
    cutefish-screenlocker
    cutefish-screenshot
    cutefish-settings
    cutefish-statusbar
    cutefish-wallpapers
    cvs-feature-bin
    cynthiune.app
    dagu-bin
    datatype99
    deheader
    dep
    dh-python
    difi
    difi-bin
    doctoc
    dots-hyprland-fork-git
    dvdrip
    dyad-bin
    easy_spice
    edconv-bin
    eisl
    epson-inkjet-printer-escpr2-clos-bin
    exodus-wallet-bin
    exoduswallet
    farmmod-hub
    fastoggenc
    fastjet
    fatx
    fcitx5-pinyin-sougou-dict-git
    ffmpeg-bitrate-stats
    ffmpeg-quality-metrics
    findpkg-git
    firefox-extension-adnauseam-bin-amo
    firmium-desktop-git
    fishui
    fishui-git
    flexiblas
    flynarwhal
    fmlib
    forgecode-bin
    formidable-bin
    frame
    ftl
    frutool
    futhark-bin
    gdl
    gdlmm
    git-annex-standalone
    gnome-contacts-git
    gnutls3.8.9
    gopher2600
    gopher2600-bin
    gosh
    gpx-viewer
    graveman
    green-tunnel-bin
    greetd-wlgreet-git
    gtkimageview
    guile-reader
    gummy
    gummy-git
    hackmatrix-git
    harmony-wad
    headphones
    hearthstone-linux-gui-appimage
    hearthstone-linux-gui-bin
    hepmc2
    hister-git
    hnswlib-git
    horst
    hydownloader-git
    hydrus-git
    i3bar-river
    ianny-bin
    ibm-sw-tpm2
    ihaskell-git
    imageglass
    inadyn
    indicator-session
    infnoise-openssl-git
    interface99
    ios-webkit-debug-proxy
    ipfs-desktop-bin
    ipsw
    iron-heart-git
    jasp-desktop
    jd-gui
    k3sup
    kdb
    kddockwidgets-git
    kexi
    kiss
    ktea
    kookbook
    kproperty
    kreport
    latex-digsig
    lazylpsolverlibs-git
    lesstif
    lib32-egl-wayland
    libafterimage
    libbobcat
    libcutefish
    libffi-static
    libgdata
    libjxl-noglycin
    libquvi
    libquvi-scripts
    libretro-hatari-enhanced-git
    libxdiff
    libxml-ruby
    libyami
    linux-cachyos-deckify-native
    linux-cachyos-native
    linux-cachyos-rc-native
    linux-tool
    liri-cmake-shared-git
    lite
    lll
    llvm-cbe-git
    lowfi-bin
    "ls++"
    lucidvideo
    m5rcode
    magpie-wm
    mako-center-git
    manuskript
    maszyna-git
    mathsat-5
    matrixbrandy
    mcp-probe
    mcpatcher
    mermaid-ascii-git
    mermark-editor
    mesa-dlss-reflex-git
    mimic-node-git
    mingw-w64-geos
    mingw-w64-libsndfile
    minimax-bin-hardened
    misuzu-music-bin
    mono-addins
    monochrome
    monochrome-git
    moor-git
    mount-gtk
    mopen
    n1-translator
    naemon
    naemon-livestatus
    natapp
    nebuchadnezzar-git
    neovim-autopairs-git
    neovim-nvim-treesitter
    nerf-pi
    neuro-karaoke-wrapper-git
    new-api-privacy-filter
    new-api-privacy-filter-git
    nexus-bin
    nginx-mod-vts
    nhentai-git
    nocodb
    noctyra-dotfiles-git
    "notepad---bin"
    nox-bin
    nrpe
    nwchem-bin
    ob-xd
    octocode
    opencode-codebase-index-bin
    openui5
    opl-synth
    optimizevideo-git
    oracle-bin
    pacforge
    paper-desktop-bin
    paq8o
    parallel-python
    pass-cli
    pelican-git
    penguin-subtitle-player
    perl-proc-parallelloop
    perl-set-object
    perl-term-extendedcolor
    phonon-qt5-vlc
    php-geoip
    php-memcache
    php-openswoole-git
    php-xdiff
    picom-ftlabs-git
    pidgin-kwallet
    pipetoys
    pipewire-visualizer-git
    premake-git
    prisma4postgres-bin
    profile-sync-daemon-zen
    pymacs
    pypiserver
    pypy-setuptools
    python-argdispatch
    python-awkward
    python-calmjs
    python-celery
    python-ci-info
    python-coolname
    python-cu2qu-git
    python-dataproperty
    python-dbapi-compliance
    python-dictobject
    python-dj-database-url
    python-fastmcp-slim
    python-finnhub-python
    python-firebase-admin
    python-fmu_manipulation_toolbox
    python-future
    python-g4f
    python-hist
    python-histoprint
    python-hsaudiotag3k
    python-iminuit
    python-iso3166
    python-isr-git
    python-jsmin
    python-json2xml
    python-luckydonald-utils
    python-milvus-lite-bin
    python-mmcif
    python-monotonic
    python-mplhep
    python-mplhep_data
    python-netaudio-git
    python-netaudio-lib
    python-newspaper4k
    python-nipype
    python-nodejs-wheel
    python-openai-harmony
    python-pdf2docx
    python-piecash
    python-pluginmgr
    python-poetry-plugin-dotenv
    "python-pushbullet.py"
    python-pychromecast-git
    python-pylsp-rope
    python-pymilvus
    python-pysocks-git
    python-rembg
    python-scikit-hep-testdata
    python-sklearn-pandas
    python-sqliteschema
    python-starlette-compress
    python-starsessions
    python-steamcontroller-git
    python-tabledata
    python-tarantool
    python-tradingeconomics
    python-uhi
    python-uproot
    python-vector
    python-xtarfile
    python2-appdirs
    python2-fusepy
    python2-lazr-uri
    python2-mutagen
    python2-notify
    python2-packaging
    python2-paver
    python2-pyparsing
    python2-simplejson
    python2-simpleparse
    python2-stomper
    python2-twodict-git
    python2-xlib
    qhttpengine
    qlementine
    qmdnsengine
    qnapi
    qobuz-player-bin
    qtum-core
    quickswitch-i3
    r-dbplyr
    reactphysics3d
    repoporge
    retibbs-client-git
    rhythmbox-git
    rimworld
    rog-helper-git
    ros2-humble-nav2-msgs
    ruah-orch
    ruby-excon
    ruby-kramdown-rfc2629
    ruby-selenium-webdriver
    runescape-launcher
    sakura-launcher-gui
    sandlock
    screenpipe-bin
    sdcc-bin
    seahorse-nautilus
    shhmsg
    shhopt
    slipnet
    slipnet-bin
    smenu
    smenu-git
    smolrtsp
    smolrtsp-libevent
    snry-shell-qs
    soapyptezuka
    solara-kernel-headers
    sonosano
    soundpaad-bin
    sshuttlee
    sshuttlee-bin
    stompbox-jack-git
    stripe-cli
    stylelint-config-recommended
    subbrute
    sublist3r-git
    subprocess
    subsync
    svu
    sway-xkb-switcher
    tack
    tarantool
    tesseract-gui
    thunar-nextcloud-plugin
    thunderbird-conversations
    tinyemu
    tlpui-git
    torch7-git
    touchhle
    touchosc-bin
    transcreen
    tsm
    ttf-material-design-icons-git
    tunacode-cli
    typing-game-cli
    ukui-notification-daemon
    vapoursynth-preview-git
    vbam-git
    verso-git
    vidcutter
    vim-easymotion
    vim-gitgutter
    vim-indent-object
    vim-molokai
    vim-solidity
    vim-vital
    vocalinux-git
    voquill-gpu
    wallpaper-generator-next
    wayland-static
    we-layerd-git
    whatsie-git
    whisper2tr
    whisper2tr-git
    windowmaker-git
    wine-nine
    wire-desktop
    word-snatchers-cli
    workbench
    workbuddy-bin
    wrystr-git
    wsjtx-beta
    xf86-input-mtrack-git
    xorg-xfsinfo
    xplot
    xpra-html5
    xray-domain-list-community
    yarg
    yt6801-dkms
    yy
    zathura-gruvbox-git
    zerx-lab-dida-bin
    zerx-lab-zed-nightly-bin
    zing-8-bin
    zing-17-bin
    zing-21-bin
    zinnia-python
    zsdx
)

echo "Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)..."
echo

found=()
for pkg in "${INFECTED_PKGS[@]}"; do
    if pacman -Qi "$pkg" &>/dev/null; then
        found+=("$pkg")
    fi
done

if [[ ${#found[@]} -eq 0 ]]; then
    echo "Clean: none of the known infected packages are installed."
else
    echo "WARNING: ${#found[@]} infected package(s) found:"
    for pkg in "${found[@]}"; do
        echo "  - $pkg"
    done
fi

Thank you very much!

thanks twin

Thank you for this!

Thanks champ!

i appreciate the updated script but hope you see the irony of recommending to pipe curl output directly into bash

Although it's ironic, he's just making other people's lives easier with this. If you would prefer manually go through each n every package, or download script n read it not everyone understands code or wants to go through the hassle. It's great if one did that, much safer I agree. But reality is different. So what he provided is with good intention.

P.S : I personally vetted the script and it's clean. And am a Distro maintainer. Whatever this is worth.

The general problem with curl $url | bash recommendations is that you can detect at the server side if the script is directly piped to bash and deliver an different script. So even a review wont save you from that.
Therefore always download the script, verify at and then execute the local file.

The background of this attack is described here: https://web.archive.org/web/20250622061208/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

I’ve consolidated the community detection scripts (yours + BrianCArnold + commonsourcecs + Kacper-Kondracki + quantenProjects) into a single repo:

https://github.com/lenucksi/aur-malware-check

All original scripts preserved in sources/, plus a faster v2 that runs in ~10s instead of the 5 minutes I got from the original approach. Credits and links to everyone included in the README. Thanks for making all this to everyone who did so! 🚀

Happy to accept PRs if you want to contribute improvements, especially packages that need to be checked.

EDIT 13. June 2026: Glad to see that it's been useful. Situation has developed a bit more, will try to consolidate the below in there as much as possible. As for @minus2147483647 comment on arojas: That's fixed already + sources added. Actually was the first issue reported on the repo.
I might turn this into some Python to make it easier to read and extend as shell does tend to get a bit messy with time and size.

I’ve consolidated the community detection scripts (yours + BrianCArnold + commonsourcecs + Kacper-Kondracki + quantenProjects) into a single repo:

https://github.com/lenucksi/aur-malware-check

thanks so much for this @lenucksi !
I have one comment though: arojas is Antonio Rojas, a respected member of the Arch Linux community and certainly not a 'malicious maintainer' or an 'attacker account'. The bot infecting the packages seems to have impersonated the last committer, but that has nothing to do with Antonio. Perhaps that quote can be changed/updated (you mention him twice) ?

Shouldn't you make a repository?

So contribute if someone finds something else, having a dynamic list.json that the script downloads when starting.

Thanks 👍

This script checks whether affected packages are currently installed. Consider also performing a check against /var/log/pacman.log for evidence that an affected package was installed at any point in the past.

For example:

for pkg in "${INFECTED_PKGS[@]}"; do
    if pacman -Qi "$pkg" &>/dev/null || grep -F -q "installed $pkg (" /var/log/pacman.log; then
        found+=("$pkg")
    fi
done

@rpdelaney you may want to check out the repository posted here by lenucksi an hour ago, it has a script that does exactly that (and also checks for activity within the actual time-window of the attack).

just a heads up for anyone else: I ran into a false positive where stripe-cli flagged but I actually have stripe-cli-bin installed which is all clear (I just checked the history on AUR, its pulling from the official github releases for the past few updates).

@rpdelaney Just a heads up: The grep search pattern you used will raise false positives if any part of a package name is in another package name.

e.g. yy will be raised with yyjson, kdb will be raised with kdbusaddons

Consider changing the search pattern to "installed ${pkg} (". This ensures the exact package is checked

Thank you for this!

Thanks @AstroLightz, I edited it

i ran commonsourcecs's script, and thank god my system is clean

though i got curious and ran the script in this gist:

Checking for infected AUR packages (446 total)...

WARNING: 2 infected package(s) found:
  - jd-gui
  - libgdata

so if i had updated my aur packages around june 9 - 12, the hackers would've gotten a nice double dip of my accounts & data.

i guess i can thank myself for not updating my system so often. either way this is a wakeup call to not use the aur anymore 😬

Hey everyone! You may want to use this updated version that pulls from the authoritative note by the Arch team: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

Hey everyone! You may want to use this updated version that pulls from the authoritative note by the Arch team: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

thanks, copy and paste into terminal version (double check the code and Arch note url for safety)

bash -c 'LIST_URL="https://md.archlinux.org/s/SxbqukK6IA"; TMP_INFECTED=$(mktemp); TMP_INSTALLED=$(mktemp); trap "rm -f $TMP_INFECTED $TMP_INSTALLED" EXIT; echo "Fetching infected package list..."; raw=$(curl -fsSL --max-time 15 "$LIST_URL") || { echo "ERROR: failed to fetch"; exit 1; }; mapfile -t INFECTED_PKGS < <(echo "$raw" | sed "s/<[^>]*>//g" | grep -E "^[a-z0-9][a-z0-9_.+\-]*[a-z0-9]$" | sort -u); count=${#INFECTED_PKGS[@]}; [[ $count -eq 0 ]] && { echo "ERROR: parsed 0 packages."; exit 1; }; echo "Checking $count known infected packages against ALL installed packages..."; echo; printf "%s\n" "${INFECTED_PKGS[@]}" > "$TMP_INFECTED"; pacman -Qq 2>/dev/null | sort > "$TMP_INSTALLED"; mapfile -t found < <(comm -12 "$TMP_INSTALLED" "$TMP_INFECTED"); if [[ ${#found[@]} -eq 0 ]]; then echo "Clean: none of the known infected packages are installed."; else echo "WARNING: ${#found[@]} infected package(s) found:"; for pkg in "${found[@]}"; do ver=$(pacman -Q "$pkg" 2>/dev/null | awk "{print \$2}"); echo "  - $pkg  (installed version: $ver)"; done; echo; echo "You may be infected."; fi'

or

#!/usr/bin/env bash
LIST_URL="https://md.archlinux.org/s/SxbqukK6IA"
TMP_INFECTED=$(mktemp)
TMP_INSTALLED=$(mktemp)
cleanup() { rm -f "$TMP_INFECTED" "$TMP_INSTALLED"; }
trap cleanup EXIT

echo "Fetching infected package list..."
raw=$(curl -fsSL --max-time 15 "$LIST_URL") || { echo "ERROR: failed to fetch $LIST_URL"; exit 1; }

mapfile -t INFECTED_PKGS < <(echo "$raw" | sed 's/<[^>]*>//g' | grep -E '^[a-z0-9][a-z0-9_.+\-]*[a-z0-9]$' | sort -u)

count=${#INFECTED_PKGS[@]}
if [[ $count -eq 0 ]]; then echo "ERROR: parsed 0 packages."; exit 1; fi

echo "Checking $count known infected packages against installed AUR packages..."
echo

printf "%s\n" "${INFECTED_PKGS[@]}" > "$TMP_INFECTED"

if ! pacman -Qmq 2>/dev/null | sort > "$TMP_INSTALLED"; then
    echo "ERROR: failed to query installed packages (DB locked?)"
    ls /var/lib/pacman/db.lck &>/dev/null && echo "  Stale lockfile may be the cause."
    exit 1
fi

mapfile -t found < <(comm -12 "$TMP_INSTALLED" "$TMP_INFECTED")

if [[ ${#found[@]} -eq 0 ]]; then
    echo "Clean: none of the known infected packages are installed."
else
    echo "WARNING: ${#found[@]} infected package(s) found:"
    for pkg in "${found[@]}"; do echo "  - $pkg"; done
    echo
    echo "You may be infected."
fi
EOF
)

there have been other updates, but, for those who want to know not only if you have compromised versions installed, but ANY versions from the list installed, i made a quick update to cscs's script: https://gist.github.com/bwhitehead0/74a8960e33e641cfa820f448a7a12d8e

Many thanks!

we seriously need these as hot/live patches

Thank you my hero

"Forked to fetch the package list dynamically from the official Arch HedgeDoc instead of hardcoding it: https://gist.github.com/caveat-ops/bfd78fe1f8e1ec7593e40c440297a18c"

This is awesome 😎 bro. Thanks for the script. God bless

Thanks.

Much appreciated.

Thank you!

I’ve consolidated the community detection scripts (yours + BrianCArnold + commonsourcecs + Kacper-Kondracki + quantenProjects) into a single repo:

https://github.com/lenucksi/aur-malware-check

https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992?permalink_comment_id=6196132#gistcomment-6196132

Now probably has integrated most of the concerns brought up here. Might still be worth a look, but certainly use what you like, and make sure you take a look what you execute before you execute it. (Bump for the scroll to the bottom of gist immediately cases 😉 )

Thank you!
Fortunately, I was on holiday so I did not update a thing..