aur_check.sh (OUTDATED, check https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14)

aur_check.sh

#!/usr/bin/env bash

# OUTDATED. YOU MAY WANT TO USE A CHECK THAT PULLS FROM AN AUTHORITATIVE LIST OF INFECTED PACKAGES
# CHECK https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

# AUR atomic-lockfile malware check @ June 11 2026
# Sources:
#   https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/
#   https://gr.ht/aur_pkg_list.txt

INFECTED_PKGS=(
    123pan-bin
    1code
    8192eu-dkms-git
    actual-ai
    adblock2privoxy
    aion-git
    albion-online-launcher-bin
    alienfx
    alvr
    android-signapk
    android-signapk-gui
    annobin
    ansible-language-server
    antfs-cli-git
    anythingllm-appimage
    anythingllm-cli-bin
    apk-installer-gui
    apm_planner-bin
    apothem
    apple-music-desktop
    arch-update-vai
    archjh
    archlinux-themes-slim
    archmage
    archtex-git
    artanis-git
    astro-editor-appimage
    autohand-cli
    autolabel
    autologin
    azurlaneautoscript
    bcachefs-kernel-dkms-git
    beebeep
    bitcoin-core-git
    blinkenlib
    blueproximity-py3-git
    booklore
    brow6el
    brow6el-git
    canon-pixma-mg3000-complete-fixed
    cartridge-cli
    ccase-bin
    ccl-git
    cgminer
    charcoal
    cinny-desktop-system-tray
    clai
    clang19
    clash-mi
    cling-git
    cmuclmtk
    cnijfilter-common
    codenomad-bin
    codeql-cli-bin
    cogpit-bin
    colorhug-client
    colorz
    compiler-rt19
    compizconfig-python
    coolreader
    cowdancer
    cutefish-calculator
    cutefish-core
    cutefish-dock
    cutefish-filemanager
    cutefish-icons
    cutefish-launcher
    cutefish-qt-plugins
    cutefish-screenlocker
    cutefish-screenshot
    cutefish-settings
    cutefish-statusbar
    cutefish-wallpapers
    cvs-feature-bin
    cynthiune.app
    dagu-bin
    datatype99
    deheader
    dep
    dh-python
    difi
    difi-bin
    doctoc
    dots-hyprland-fork-git
    dvdrip
    dyad-bin
    easy_spice
    edconv-bin
    eisl
    epson-inkjet-printer-escpr2-clos-bin
    exodus-wallet-bin
    exoduswallet
    farmmod-hub
    fastoggenc
    fastjet
    fatx
    fcitx5-pinyin-sougou-dict-git
    ffmpeg-bitrate-stats
    ffmpeg-quality-metrics
    findpkg-git
    firefox-extension-adnauseam-bin-amo
    firmium-desktop-git
    fishui
    fishui-git
    flexiblas
    flynarwhal
    fmlib
    forgecode-bin
    formidable-bin
    frame
    ftl
    frutool
    futhark-bin
    gdl
    gdlmm
    git-annex-standalone
    gnome-contacts-git
    gnutls3.8.9
    gopher2600
    gopher2600-bin
    gosh
    gpx-viewer
    graveman
    green-tunnel-bin
    greetd-wlgreet-git
    gtkimageview
    guile-reader
    gummy
    gummy-git
    hackmatrix-git
    harmony-wad
    headphones
    hearthstone-linux-gui-appimage
    hearthstone-linux-gui-bin
    hepmc2
    hister-git
    hnswlib-git
    horst
    hydownloader-git
    hydrus-git
    i3bar-river
    ianny-bin
    ibm-sw-tpm2
    ihaskell-git
    imageglass
    inadyn
    indicator-session
    infnoise-openssl-git
    interface99
    ios-webkit-debug-proxy
    ipfs-desktop-bin
    ipsw
    iron-heart-git
    jasp-desktop
    jd-gui
    k3sup
    kdb
    kddockwidgets-git
    kexi
    kiss
    ktea
    kookbook
    kproperty
    kreport
    latex-digsig
    lazylpsolverlibs-git
    lesstif
    lib32-egl-wayland
    libafterimage
    libbobcat
    libcutefish
    libffi-static
    libgdata
    libjxl-noglycin
    libquvi
    libquvi-scripts
    libretro-hatari-enhanced-git
    libxdiff
    libxml-ruby
    libyami
    linux-cachyos-deckify-native
    linux-cachyos-native
    linux-cachyos-rc-native
    linux-tool
    liri-cmake-shared-git
    lite
    lll
    llvm-cbe-git
    lowfi-bin
    "ls++"
    lucidvideo
    m5rcode
    magpie-wm
    mako-center-git
    manuskript
    maszyna-git
    mathsat-5
    matrixbrandy
    mcp-probe
    mcpatcher
    mermaid-ascii-git
    mermark-editor
    mesa-dlss-reflex-git
    mimic-node-git
    mingw-w64-geos
    mingw-w64-libsndfile
    minimax-bin-hardened
    misuzu-music-bin
    mono-addins
    monochrome
    monochrome-git
    moor-git
    mount-gtk
    mopen
    n1-translator
    naemon
    naemon-livestatus
    natapp
    nebuchadnezzar-git
    neovim-autopairs-git
    neovim-nvim-treesitter
    nerf-pi
    neuro-karaoke-wrapper-git
    new-api-privacy-filter
    new-api-privacy-filter-git
    nexus-bin
    nginx-mod-vts
    nhentai-git
    nocodb
    noctyra-dotfiles-git
    "notepad---bin"
    nox-bin
    nrpe
    nwchem-bin
    ob-xd
    octocode
    opencode-codebase-index-bin
    openui5
    opl-synth
    optimizevideo-git
    oracle-bin
    pacforge
    paper-desktop-bin
    paq8o
    parallel-python
    pass-cli
    pelican-git
    penguin-subtitle-player
    perl-proc-parallelloop
    perl-set-object
    perl-term-extendedcolor
    phonon-qt5-vlc
    php-geoip
    php-memcache
    php-openswoole-git
    php-xdiff
    picom-ftlabs-git
    pidgin-kwallet
    pipetoys
    pipewire-visualizer-git
    premake-git
    prisma4postgres-bin
    profile-sync-daemon-zen
    pymacs
    pypiserver
    pypy-setuptools
    python-argdispatch
    python-awkward
    python-calmjs
    python-celery
    python-ci-info
    python-coolname
    python-cu2qu-git
    python-dataproperty
    python-dbapi-compliance
    python-dictobject
    python-dj-database-url
    python-fastmcp-slim
    python-finnhub-python
    python-firebase-admin
    python-fmu_manipulation_toolbox
    python-future
    python-g4f
    python-hist
    python-histoprint
    python-hsaudiotag3k
    python-iminuit
    python-iso3166
    python-isr-git
    python-jsmin
    python-json2xml
    python-luckydonald-utils
    python-milvus-lite-bin
    python-mmcif
    python-monotonic
    python-mplhep
    python-mplhep_data
    python-netaudio-git
    python-netaudio-lib
    python-newspaper4k
    python-nipype
    python-nodejs-wheel
    python-openai-harmony
    python-pdf2docx
    python-piecash
    python-pluginmgr
    python-poetry-plugin-dotenv
    "python-pushbullet.py"
    python-pychromecast-git
    python-pylsp-rope
    python-pymilvus
    python-pysocks-git
    python-rembg
    python-scikit-hep-testdata
    python-sklearn-pandas
    python-sqliteschema
    python-starlette-compress
    python-starsessions
    python-steamcontroller-git
    python-tabledata
    python-tarantool
    python-tradingeconomics
    python-uhi
    python-uproot
    python-vector
    python-xtarfile
    python2-appdirs
    python2-fusepy
    python2-lazr-uri
    python2-mutagen
    python2-notify
    python2-packaging
    python2-paver
    python2-pyparsing
    python2-simplejson
    python2-simpleparse
    python2-stomper
    python2-twodict-git
    python2-xlib
    qhttpengine
    qlementine
    qmdnsengine
    qnapi
    qobuz-player-bin
    qtum-core
    quickswitch-i3
    r-dbplyr
    reactphysics3d
    repoporge
    retibbs-client-git
    rhythmbox-git
    rimworld
    rog-helper-git
    ros2-humble-nav2-msgs
    ruah-orch
    ruby-excon
    ruby-kramdown-rfc2629
    ruby-selenium-webdriver
    runescape-launcher
    sakura-launcher-gui
    sandlock
    screenpipe-bin
    sdcc-bin
    seahorse-nautilus
    shhmsg
    shhopt
    slipnet
    slipnet-bin
    smenu
    smenu-git
    smolrtsp
    smolrtsp-libevent
    snry-shell-qs
    soapyptezuka
    solara-kernel-headers
    sonosano
    soundpaad-bin
    sshuttlee
    sshuttlee-bin
    stompbox-jack-git
    stripe-cli
    stylelint-config-recommended
    subbrute
    sublist3r-git
    subprocess
    subsync
    svu
    sway-xkb-switcher
    tack
    tarantool
    tesseract-gui
    thunar-nextcloud-plugin
    thunderbird-conversations
    tinyemu
    tlpui-git
    torch7-git
    touchhle
    touchosc-bin
    transcreen
    tsm
    ttf-material-design-icons-git
    tunacode-cli
    typing-game-cli
    ukui-notification-daemon
    vapoursynth-preview-git
    vbam-git
    verso-git
    vidcutter
    vim-easymotion
    vim-gitgutter
    vim-indent-object
    vim-molokai
    vim-solidity
    vim-vital
    vocalinux-git
    voquill-gpu
    wallpaper-generator-next
    wayland-static
    we-layerd-git
    whatsie-git
    whisper2tr
    whisper2tr-git
    windowmaker-git
    wine-nine
    wire-desktop
    word-snatchers-cli
    workbench
    workbuddy-bin
    wrystr-git
    wsjtx-beta
    xf86-input-mtrack-git
    xorg-xfsinfo
    xplot
    xpra-html5
    xray-domain-list-community
    yarg
    yt6801-dkms
    yy
    zathura-gruvbox-git
    zerx-lab-dida-bin
    zerx-lab-zed-nightly-bin
    zing-8-bin
    zing-17-bin
    zing-21-bin
    zinnia-python
    zsdx
)

echo "Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)..."
echo

found=()
for pkg in "${INFECTED_PKGS[@]}"; do
    if pacman -Qi "$pkg" &>/dev/null; then
        found+=("$pkg")
    fi
done

if [[ ${#found[@]} -eq 0 ]]; then
    echo "Clean: none of the known infected packages are installed."
else
    echo "WARNING: ${#found[@]} infected package(s) found:"
    for pkg in "${found[@]}"; do
        echo "  - $pkg"
    done
fi

@rpdelaney you may want to check out the repository posted here by lenucksi an hour ago, it has a script that does exactly that (and also checks for activity within the actual time-window of the attack).

just a heads up for anyone else: I ran into a false positive where stripe-cli flagged but I actually have stripe-cli-bin installed which is all clear (I just checked the history on AUR, its pulling from the official github releases for the past few updates).

@rpdelaney Just a heads up: The grep search pattern you used will raise false positives if any part of a package name is in another package name.

e.g. yy will be raised with yyjson, kdb will be raised with kdbusaddons

Consider changing the search pattern to "installed ${pkg} (". This ensures the exact package is checked

Thank you for this!

Thanks @AstroLightz, I edited it

i ran commonsourcecs's script, and thank god my system is clean

though i got curious and ran the script in this gist:

Checking for infected AUR packages (446 total)...

WARNING: 2 infected package(s) found:
  - jd-gui
  - libgdata

so if i had updated my aur packages around june 9 - 12, the hackers would've gotten a nice double dip of my accounts & data.

i guess i can thank myself for not updating my system so often. either way this is a wakeup call to not use the aur anymore 😬

Hey everyone! You may want to use this updated version that pulls from the authoritative note by the Arch team: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

Hey everyone! You may want to use this updated version that pulls from the authoritative note by the Arch team: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14

thanks, copy and paste into terminal version (double check the code and Arch note url for safety)

bash -c 'LIST_URL="https://md.archlinux.org/s/SxbqukK6IA"; TMP_INFECTED=$(mktemp); TMP_INSTALLED=$(mktemp); trap "rm -f $TMP_INFECTED $TMP_INSTALLED" EXIT; echo "Fetching infected package list..."; raw=$(curl -fsSL --max-time 15 "$LIST_URL") || { echo "ERROR: failed to fetch"; exit 1; }; mapfile -t INFECTED_PKGS < <(echo "$raw" | sed "s/<[^>]*>//g" | grep -E "^[a-z0-9][a-z0-9_.+\-]*[a-z0-9]$" | sort -u); count=${#INFECTED_PKGS[@]}; [[ $count -eq 0 ]] && { echo "ERROR: parsed 0 packages."; exit 1; }; echo "Checking $count known infected packages against ALL installed packages..."; echo; printf "%s\n" "${INFECTED_PKGS[@]}" > "$TMP_INFECTED"; pacman -Qq 2>/dev/null | sort > "$TMP_INSTALLED"; mapfile -t found < <(comm -12 "$TMP_INSTALLED" "$TMP_INFECTED"); if [[ ${#found[@]} -eq 0 ]]; then echo "Clean: none of the known infected packages are installed."; else echo "WARNING: ${#found[@]} infected package(s) found:"; for pkg in "${found[@]}"; do ver=$(pacman -Q "$pkg" 2>/dev/null | awk "{print \$2}"); echo "  - $pkg  (installed version: $ver)"; done; echo; echo "You may be infected."; fi'

or

#!/usr/bin/env bash
LIST_URL="https://md.archlinux.org/s/SxbqukK6IA"
TMP_INFECTED=$(mktemp)
TMP_INSTALLED=$(mktemp)
cleanup() { rm -f "$TMP_INFECTED" "$TMP_INSTALLED"; }
trap cleanup EXIT

echo "Fetching infected package list..."
raw=$(curl -fsSL --max-time 15 "$LIST_URL") || { echo "ERROR: failed to fetch $LIST_URL"; exit 1; }

mapfile -t INFECTED_PKGS < <(echo "$raw" | sed 's/<[^>]*>//g' | grep -E '^[a-z0-9][a-z0-9_.+\-]*[a-z0-9]$' | sort -u)

count=${#INFECTED_PKGS[@]}
if [[ $count -eq 0 ]]; then echo "ERROR: parsed 0 packages."; exit 1; fi

echo "Checking $count known infected packages against installed AUR packages..."
echo

printf "%s\n" "${INFECTED_PKGS[@]}" > "$TMP_INFECTED"

if ! pacman -Qmq 2>/dev/null | sort > "$TMP_INSTALLED"; then
    echo "ERROR: failed to query installed packages (DB locked?)"
    ls /var/lib/pacman/db.lck &>/dev/null && echo "  Stale lockfile may be the cause."
    exit 1
fi

mapfile -t found < <(comm -12 "$TMP_INSTALLED" "$TMP_INFECTED")

if [[ ${#found[@]} -eq 0 ]]; then
    echo "Clean: none of the known infected packages are installed."
else
    echo "WARNING: ${#found[@]} infected package(s) found:"
    for pkg in "${found[@]}"; do echo "  - $pkg"; done
    echo
    echo "You may be infected."
fi
EOF
)

there have been other updates, but, for those who want to know not only if you have compromised versions installed, but ANY versions from the list installed, i made a quick update to cscs's script: https://gist.github.com/bwhitehead0/74a8960e33e641cfa820f448a7a12d8e

Many thanks!

we seriously need these as hot/live patches

Thank you my hero

"Forked to fetch the package list dynamically from the official Arch HedgeDoc instead of hardcoding it: https://gist.github.com/caveat-ops/bfd78fe1f8e1ec7593e40c440297a18c"

This is awesome 😎 bro. Thanks for the script. God bless

Thanks.

Much appreciated.

Thank you!

I’ve consolidated the community detection scripts (yours + BrianCArnold + commonsourcecs + Kacper-Kondracki + quantenProjects) into a single repo:

https://github.com/lenucksi/aur-malware-check

https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992?permalink_comment_id=6196132#gistcomment-6196132

Now probably has integrated most of the concerns brought up here. Might still be worth a look, but certainly use what you like, and make sure you take a look what you execute before you execute it. (Bump for the scroll to the bottom of gist immediately cases 😉 )

Thank you!
Fortunately, I was on holiday so I did not update a thing..