lenucksi/aur-malware-check — explained in plain English
Analysis updated 2026-05-18
Scan an Arch Linux machine to see if any installed AUR packages were part of the June 2026 malware campaign.
Check npm and bun caches for the specific malicious packages used in the attack.
Refresh the known-compromised package list from the official Arch source before scanning.
Review indicators of compromise and attacker account details for incident response.
| lenucksi/aur-malware-check | pyenv/pyenv-virtualenvwrapper | asimovinc/asimov-1 | |
|---|---|---|---|
| Stars | 652 | 678 | 719 |
| Language | Shell | Shell | Shell |
| Last pushed | — | 2017-08-20 | — |
| Maintenance | — | Dormant | — |
| Setup difficulty | — | easy | hard |
| Complexity | — | 2/5 | 5/5 |
| Audience | ops devops | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
This repository is a set of detection tools for a specific security incident: a supply-chain attack on the Arch User Repository, known as the AUR, in June 2026. The AUR is a community-run collection of software packages for the Arch Linux operating system. In this attack, more than 1600 of those packages were tampered with so that installing them would also pull in malicious code. The author explains that they did not create most of this work. Scattered detection scripts and package lists had been shared by many people across community gists and forum posts, and this repository gathers them into one place so the information is easier to find and improve. The README gives clear credit to the original contributors and lists the reports and sources it draws from. The attack came in two waves. Both injected hidden install commands that pulled in harmful npm or bun packages, and both delivered the same kind of payload: an infostealer, which tries to steal saved credentials and browser data, and a rootkit, which hides itself deep in the system. The targets were developer credentials and secrets used in automated build pipelines. The main deliverable is a shell script that checks whether your machine has any of the affected packages installed. You make it executable and run it, with extra options for a full scan or for checking specific caches. There are two versions: the first is the reference version, and the second does the same job but scans logs much faster. The script can refresh its list of known-bad packages from an official Arch source, and it returns different exit codes depending on whether the system looks clean, has warnings, or shows signs of infection. The repository also includes the bundled package list, a file of indicators of compromise, the original community scripts kept for reference, a set of tests using fake package lists, and notes on the accounts involved in the attack. It is a focused, practical response to one event, meant to help Arch Linux users find out quickly whether they were affected.
A shell script toolkit that checks Arch Linux systems for packages compromised in the June 2026 AUR supply-chain attack.
Mainly Shell. The stack also includes Shell, Bash, Arch Linux.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.