/aur_check.sh Secret
-
Star
(135)
You must be signed in to star a gist -
Fork
(11)
You must be signed in to fork a gist
-
-
Save Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992 to your computer and use it in GitHub Desktop.
| #!/usr/bin/env bash | |
| # OUTDATED. YOU MAY WANT TO USE A CHECK THAT PULLS FROM AN AUTHORITATIVE LIST OF INFECTED PACKAGES | |
| # CHECK https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14 | |
| # AUR atomic-lockfile malware check @ June 11 2026 | |
| # Sources: | |
| # https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/ | |
| # https://gr.ht/aur_pkg_list.txt | |
| INFECTED_PKGS=( | |
| 123pan-bin | |
| 1code | |
| 8192eu-dkms-git | |
| actual-ai | |
| adblock2privoxy | |
| aion-git | |
| albion-online-launcher-bin | |
| alienfx | |
| alvr | |
| android-signapk | |
| android-signapk-gui | |
| annobin | |
| ansible-language-server | |
| antfs-cli-git | |
| anythingllm-appimage | |
| anythingllm-cli-bin | |
| apk-installer-gui | |
| apm_planner-bin | |
| apothem | |
| apple-music-desktop | |
| arch-update-vai | |
| archjh | |
| archlinux-themes-slim | |
| archmage | |
| archtex-git | |
| artanis-git | |
| astro-editor-appimage | |
| autohand-cli | |
| autolabel | |
| autologin | |
| azurlaneautoscript | |
| bcachefs-kernel-dkms-git | |
| beebeep | |
| bitcoin-core-git | |
| blinkenlib | |
| blueproximity-py3-git | |
| booklore | |
| brow6el | |
| brow6el-git | |
| canon-pixma-mg3000-complete-fixed | |
| cartridge-cli | |
| ccase-bin | |
| ccl-git | |
| cgminer | |
| charcoal | |
| cinny-desktop-system-tray | |
| clai | |
| clang19 | |
| clash-mi | |
| cling-git | |
| cmuclmtk | |
| cnijfilter-common | |
| codenomad-bin | |
| codeql-cli-bin | |
| cogpit-bin | |
| colorhug-client | |
| colorz | |
| compiler-rt19 | |
| compizconfig-python | |
| coolreader | |
| cowdancer | |
| cutefish-calculator | |
| cutefish-core | |
| cutefish-dock | |
| cutefish-filemanager | |
| cutefish-icons | |
| cutefish-launcher | |
| cutefish-qt-plugins | |
| cutefish-screenlocker | |
| cutefish-screenshot | |
| cutefish-settings | |
| cutefish-statusbar | |
| cutefish-wallpapers | |
| cvs-feature-bin | |
| cynthiune.app | |
| dagu-bin | |
| datatype99 | |
| deheader | |
| dep | |
| dh-python | |
| difi | |
| difi-bin | |
| doctoc | |
| dots-hyprland-fork-git | |
| dvdrip | |
| dyad-bin | |
| easy_spice | |
| edconv-bin | |
| eisl | |
| epson-inkjet-printer-escpr2-clos-bin | |
| exodus-wallet-bin | |
| exoduswallet | |
| farmmod-hub | |
| fastoggenc | |
| fastjet | |
| fatx | |
| fcitx5-pinyin-sougou-dict-git | |
| ffmpeg-bitrate-stats | |
| ffmpeg-quality-metrics | |
| findpkg-git | |
| firefox-extension-adnauseam-bin-amo | |
| firmium-desktop-git | |
| fishui | |
| fishui-git | |
| flexiblas | |
| flynarwhal | |
| fmlib | |
| forgecode-bin | |
| formidable-bin | |
| frame | |
| ftl | |
| frutool | |
| futhark-bin | |
| gdl | |
| gdlmm | |
| git-annex-standalone | |
| gnome-contacts-git | |
| gnutls3.8.9 | |
| gopher2600 | |
| gopher2600-bin | |
| gosh | |
| gpx-viewer | |
| graveman | |
| green-tunnel-bin | |
| greetd-wlgreet-git | |
| gtkimageview | |
| guile-reader | |
| gummy | |
| gummy-git | |
| hackmatrix-git | |
| harmony-wad | |
| headphones | |
| hearthstone-linux-gui-appimage | |
| hearthstone-linux-gui-bin | |
| hepmc2 | |
| hister-git | |
| hnswlib-git | |
| horst | |
| hydownloader-git | |
| hydrus-git | |
| i3bar-river | |
| ianny-bin | |
| ibm-sw-tpm2 | |
| ihaskell-git | |
| imageglass | |
| inadyn | |
| indicator-session | |
| infnoise-openssl-git | |
| interface99 | |
| ios-webkit-debug-proxy | |
| ipfs-desktop-bin | |
| ipsw | |
| iron-heart-git | |
| jasp-desktop | |
| jd-gui | |
| k3sup | |
| kdb | |
| kddockwidgets-git | |
| kexi | |
| kiss | |
| ktea | |
| kookbook | |
| kproperty | |
| kreport | |
| latex-digsig | |
| lazylpsolverlibs-git | |
| lesstif | |
| lib32-egl-wayland | |
| libafterimage | |
| libbobcat | |
| libcutefish | |
| libffi-static | |
| libgdata | |
| libjxl-noglycin | |
| libquvi | |
| libquvi-scripts | |
| libretro-hatari-enhanced-git | |
| libxdiff | |
| libxml-ruby | |
| libyami | |
| linux-cachyos-deckify-native | |
| linux-cachyos-native | |
| linux-cachyos-rc-native | |
| linux-tool | |
| liri-cmake-shared-git | |
| lite | |
| lll | |
| llvm-cbe-git | |
| lowfi-bin | |
| "ls++" | |
| lucidvideo | |
| m5rcode | |
| magpie-wm | |
| mako-center-git | |
| manuskript | |
| maszyna-git | |
| mathsat-5 | |
| matrixbrandy | |
| mcp-probe | |
| mcpatcher | |
| mermaid-ascii-git | |
| mermark-editor | |
| mesa-dlss-reflex-git | |
| mimic-node-git | |
| mingw-w64-geos | |
| mingw-w64-libsndfile | |
| minimax-bin-hardened | |
| misuzu-music-bin | |
| mono-addins | |
| monochrome | |
| monochrome-git | |
| moor-git | |
| mount-gtk | |
| mopen | |
| n1-translator | |
| naemon | |
| naemon-livestatus | |
| natapp | |
| nebuchadnezzar-git | |
| neovim-autopairs-git | |
| neovim-nvim-treesitter | |
| nerf-pi | |
| neuro-karaoke-wrapper-git | |
| new-api-privacy-filter | |
| new-api-privacy-filter-git | |
| nexus-bin | |
| nginx-mod-vts | |
| nhentai-git | |
| nocodb | |
| noctyra-dotfiles-git | |
| "notepad---bin" | |
| nox-bin | |
| nrpe | |
| nwchem-bin | |
| ob-xd | |
| octocode | |
| opencode-codebase-index-bin | |
| openui5 | |
| opl-synth | |
| optimizevideo-git | |
| oracle-bin | |
| pacforge | |
| paper-desktop-bin | |
| paq8o | |
| parallel-python | |
| pass-cli | |
| pelican-git | |
| penguin-subtitle-player | |
| perl-proc-parallelloop | |
| perl-set-object | |
| perl-term-extendedcolor | |
| phonon-qt5-vlc | |
| php-geoip | |
| php-memcache | |
| php-openswoole-git | |
| php-xdiff | |
| picom-ftlabs-git | |
| pidgin-kwallet | |
| pipetoys | |
| pipewire-visualizer-git | |
| premake-git | |
| prisma4postgres-bin | |
| profile-sync-daemon-zen | |
| pymacs | |
| pypiserver | |
| pypy-setuptools | |
| python-argdispatch | |
| python-awkward | |
| python-calmjs | |
| python-celery | |
| python-ci-info | |
| python-coolname | |
| python-cu2qu-git | |
| python-dataproperty | |
| python-dbapi-compliance | |
| python-dictobject | |
| python-dj-database-url | |
| python-fastmcp-slim | |
| python-finnhub-python | |
| python-firebase-admin | |
| python-fmu_manipulation_toolbox | |
| python-future | |
| python-g4f | |
| python-hist | |
| python-histoprint | |
| python-hsaudiotag3k | |
| python-iminuit | |
| python-iso3166 | |
| python-isr-git | |
| python-jsmin | |
| python-json2xml | |
| python-luckydonald-utils | |
| python-milvus-lite-bin | |
| python-mmcif | |
| python-monotonic | |
| python-mplhep | |
| python-mplhep_data | |
| python-netaudio-git | |
| python-netaudio-lib | |
| python-newspaper4k | |
| python-nipype | |
| python-nodejs-wheel | |
| python-openai-harmony | |
| python-pdf2docx | |
| python-piecash | |
| python-pluginmgr | |
| python-poetry-plugin-dotenv | |
| "python-pushbullet.py" | |
| python-pychromecast-git | |
| python-pylsp-rope | |
| python-pymilvus | |
| python-pysocks-git | |
| python-rembg | |
| python-scikit-hep-testdata | |
| python-sklearn-pandas | |
| python-sqliteschema | |
| python-starlette-compress | |
| python-starsessions | |
| python-steamcontroller-git | |
| python-tabledata | |
| python-tarantool | |
| python-tradingeconomics | |
| python-uhi | |
| python-uproot | |
| python-vector | |
| python-xtarfile | |
| python2-appdirs | |
| python2-fusepy | |
| python2-lazr-uri | |
| python2-mutagen | |
| python2-notify | |
| python2-packaging | |
| python2-paver | |
| python2-pyparsing | |
| python2-simplejson | |
| python2-simpleparse | |
| python2-stomper | |
| python2-twodict-git | |
| python2-xlib | |
| qhttpengine | |
| qlementine | |
| qmdnsengine | |
| qnapi | |
| qobuz-player-bin | |
| qtum-core | |
| quickswitch-i3 | |
| r-dbplyr | |
| reactphysics3d | |
| repoporge | |
| retibbs-client-git | |
| rhythmbox-git | |
| rimworld | |
| rog-helper-git | |
| ros2-humble-nav2-msgs | |
| ruah-orch | |
| ruby-excon | |
| ruby-kramdown-rfc2629 | |
| ruby-selenium-webdriver | |
| runescape-launcher | |
| sakura-launcher-gui | |
| sandlock | |
| screenpipe-bin | |
| sdcc-bin | |
| seahorse-nautilus | |
| shhmsg | |
| shhopt | |
| slipnet | |
| slipnet-bin | |
| smenu | |
| smenu-git | |
| smolrtsp | |
| smolrtsp-libevent | |
| snry-shell-qs | |
| soapyptezuka | |
| solara-kernel-headers | |
| sonosano | |
| soundpaad-bin | |
| sshuttlee | |
| sshuttlee-bin | |
| stompbox-jack-git | |
| stripe-cli | |
| stylelint-config-recommended | |
| subbrute | |
| sublist3r-git | |
| subprocess | |
| subsync | |
| svu | |
| sway-xkb-switcher | |
| tack | |
| tarantool | |
| tesseract-gui | |
| thunar-nextcloud-plugin | |
| thunderbird-conversations | |
| tinyemu | |
| tlpui-git | |
| torch7-git | |
| touchhle | |
| touchosc-bin | |
| transcreen | |
| tsm | |
| ttf-material-design-icons-git | |
| tunacode-cli | |
| typing-game-cli | |
| ukui-notification-daemon | |
| vapoursynth-preview-git | |
| vbam-git | |
| verso-git | |
| vidcutter | |
| vim-easymotion | |
| vim-gitgutter | |
| vim-indent-object | |
| vim-molokai | |
| vim-solidity | |
| vim-vital | |
| vocalinux-git | |
| voquill-gpu | |
| wallpaper-generator-next | |
| wayland-static | |
| we-layerd-git | |
| whatsie-git | |
| whisper2tr | |
| whisper2tr-git | |
| windowmaker-git | |
| wine-nine | |
| wire-desktop | |
| word-snatchers-cli | |
| workbench | |
| workbuddy-bin | |
| wrystr-git | |
| wsjtx-beta | |
| xf86-input-mtrack-git | |
| xorg-xfsinfo | |
| xplot | |
| xpra-html5 | |
| xray-domain-list-community | |
| yarg | |
| yt6801-dkms | |
| yy | |
| zathura-gruvbox-git | |
| zerx-lab-dida-bin | |
| zerx-lab-zed-nightly-bin | |
| zing-8-bin | |
| zing-17-bin | |
| zing-21-bin | |
| zinnia-python | |
| zsdx | |
| ) | |
| echo "Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)..." | |
| echo | |
| found=() | |
| for pkg in "${INFECTED_PKGS[@]}"; do | |
| if pacman -Qi "$pkg" &>/dev/null; then | |
| found+=("$pkg") | |
| fi | |
| done | |
| if [[ ${#found[@]} -eq 0 ]]; then | |
| echo "Clean: none of the known infected packages are installed." | |
| else | |
| echo "WARNING: ${#found[@]} infected package(s) found:" | |
| for pkg in "${found[@]}"; do | |
| echo " - $pkg" | |
| done | |
| fi |
Thanks 👍
This script checks whether affected packages are currently installed. Consider also performing a check against /var/log/pacman.log for evidence that an affected package was installed at any point in the past.
For example:
for pkg in "${INFECTED_PKGS[@]}"; do
if pacman -Qi "$pkg" &>/dev/null || grep -F -q "installed $pkg (" /var/log/pacman.log; then
found+=("$pkg")
fi
done
@rpdelaney you may want to check out the repository posted here by lenucksi an hour ago, it has a script that does exactly that (and also checks for activity within the actual time-window of the attack).
just a heads up for anyone else: I ran into a false positive where stripe-cli flagged but I actually have stripe-cli-bin installed which is all clear (I just checked the history on AUR, its pulling from the official github releases for the past few updates).
@rpdelaney Just a heads up: The grep search pattern you used will raise false positives if any part of a package name is in another package name.
e.g. yy will be raised with yyjson, kdb will be raised with kdbusaddons
Consider changing the search pattern to "installed ${pkg} (". This ensures the exact package is checked
Thank you for this!
Thanks @AstroLightz, I edited it
i ran commonsourcecs's script, and thank god my system is clean
though i got curious and ran the script in this gist:
Checking for infected AUR packages (446 total)...
WARNING: 2 infected package(s) found:
- jd-gui
- libgdata
so if i had updated my aur packages around june 9 - 12, the hackers would've gotten a nice double dip of my accounts & data.
i guess i can thank myself for not updating my system so often. either way this is a wakeup call to not use the aur anymore 😬
Hey everyone! You may want to use this updated version that pulls from the authoritative note by the Arch team: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14
Hey everyone! You may want to use this updated version that pulls from the authoritative note by the Arch team: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14
thanks, copy and paste into terminal version (double check the code and Arch note url for safety)
bash -c 'LIST_URL="https://md.archlinux.org/s/SxbqukK6IA"; TMP_INFECTED=$(mktemp); TMP_INSTALLED=$(mktemp); trap "rm -f $TMP_INFECTED $TMP_INSTALLED" EXIT; echo "Fetching infected package list..."; raw=$(curl -fsSL --max-time 15 "$LIST_URL") || { echo "ERROR: failed to fetch"; exit 1; }; mapfile -t INFECTED_PKGS < <(echo "$raw" | sed "s/<[^>]*>//g" | grep -E "^[a-z0-9][a-z0-9_.+\-]*[a-z0-9]$" | sort -u); count=${#INFECTED_PKGS[@]}; [[ $count -eq 0 ]] && { echo "ERROR: parsed 0 packages."; exit 1; }; echo "Checking $count known infected packages against ALL installed packages..."; echo; printf "%s\n" "${INFECTED_PKGS[@]}" > "$TMP_INFECTED"; pacman -Qq 2>/dev/null | sort > "$TMP_INSTALLED"; mapfile -t found < <(comm -12 "$TMP_INSTALLED" "$TMP_INFECTED"); if [[ ${#found[@]} -eq 0 ]]; then echo "Clean: none of the known infected packages are installed."; else echo "WARNING: ${#found[@]} infected package(s) found:"; for pkg in "${found[@]}"; do ver=$(pacman -Q "$pkg" 2>/dev/null | awk "{print \$2}"); echo " - $pkg (installed version: $ver)"; done; echo; echo "You may be infected."; fi'
or
#!/usr/bin/env bash
LIST_URL="https://md.archlinux.org/s/SxbqukK6IA"
TMP_INFECTED=$(mktemp)
TMP_INSTALLED=$(mktemp)
cleanup() { rm -f "$TMP_INFECTED" "$TMP_INSTALLED"; }
trap cleanup EXIT
echo "Fetching infected package list..."
raw=$(curl -fsSL --max-time 15 "$LIST_URL") || { echo "ERROR: failed to fetch $LIST_URL"; exit 1; }
mapfile -t INFECTED_PKGS < <(echo "$raw" | sed 's/<[^>]*>//g' | grep -E '^[a-z0-9][a-z0-9_.+\-]*[a-z0-9]$' | sort -u)
count=${#INFECTED_PKGS[@]}
if [[ $count -eq 0 ]]; then echo "ERROR: parsed 0 packages."; exit 1; fi
echo "Checking $count known infected packages against installed AUR packages..."
echo
printf "%s\n" "${INFECTED_PKGS[@]}" > "$TMP_INFECTED"
if ! pacman -Qmq 2>/dev/null | sort > "$TMP_INSTALLED"; then
echo "ERROR: failed to query installed packages (DB locked?)"
ls /var/lib/pacman/db.lck &>/dev/null && echo " Stale lockfile may be the cause."
exit 1
fi
mapfile -t found < <(comm -12 "$TMP_INSTALLED" "$TMP_INFECTED")
if [[ ${#found[@]} -eq 0 ]]; then
echo "Clean: none of the known infected packages are installed."
else
echo "WARNING: ${#found[@]} infected package(s) found:"
for pkg in "${found[@]}"; do echo " - $pkg"; done
echo
echo "You may be infected."
fi
EOF
)
there have been other updates, but, for those who want to know not only if you have compromised versions installed, but ANY versions from the list installed, i made a quick update to cscs's script: https://gist.github.com/bwhitehead0/74a8960e33e641cfa820f448a7a12d8e
Many thanks!
we seriously need these as hot/live patches
Thank you my hero
"Forked to fetch the package list dynamically from the official Arch HedgeDoc instead of hardcoding it: https://gist.github.com/caveat-ops/bfd78fe1f8e1ec7593e40c440297a18c"
This is awesome 😎 bro. Thanks for the script. God bless
Thanks.
Much appreciated.
Thank you!
I’ve consolidated the community detection scripts (yours + BrianCArnold + commonsourcecs + Kacper-Kondracki + quantenProjects) into a single repo:
Now probably has integrated most of the concerns brought up here. Might still be worth a look, but certainly use what you like, and make sure you take a look what you execute before you execute it. (Bump for the scroll to the bottom of gist immediately cases 😉 )
Thank you!
Fortunately, I was on holiday so I did not update a thing..
Shouldn't you make a repository?
So contribute if someone finds something else, having a dynamic list.json that the script downloads when starting.