whatisgithub

What is aur-malware-check?

lenucksi/aur-malware-check — explained in plain English

Analysis updated 2026-05-18

652ShellAudience · ops devops

In one sentence

A shell script toolkit that checks Arch Linux systems for packages compromised in the June 2026 AUR supply-chain attack.

Mindmap

mindmap
  root((aur-malware-check))
    What it does
      Detects compromised AUR packages
      Consolidates community scripts
      Checks npm and bun caches
    Tech stack
      Shell
      Bash
      Arch Linux pacman
    Attack context
      Two malware waves
      Infostealer payload
      eBPF rootkit
    Features
      v1 and v2 scanners
      Refreshable package list
      Exit code status
    Audience
      Arch Linux users
      Security responders

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan an Arch Linux machine to see if any installed AUR packages were part of the June 2026 malware campaign.

USE CASE 2

Check npm and bun caches for the specific malicious packages used in the attack.

USE CASE 3

Refresh the known-compromised package list from the official Arch source before scanning.

USE CASE 4

Review indicators of compromise and attacker account details for incident response.

What is it built with?

ShellBashArch Linux

How does it compare?

lenucksi/aur-malware-checkpyenv/pyenv-virtualenvwrapperasimovinc/asimov-1
Stars652678719
LanguageShellShellShell
Last pushed2017-08-20
MaintenanceDormant
Setup difficultyeasyhard
Complexity2/55/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

So what is it?

This repository is a set of detection tools for a specific security incident: a supply-chain attack on the Arch User Repository, known as the AUR, in June 2026. The AUR is a community-run collection of software packages for the Arch Linux operating system. In this attack, more than 1600 of those packages were tampered with so that installing them would also pull in malicious code. The author explains that they did not create most of this work. Scattered detection scripts and package lists had been shared by many people across community gists and forum posts, and this repository gathers them into one place so the information is easier to find and improve. The README gives clear credit to the original contributors and lists the reports and sources it draws from. The attack came in two waves. Both injected hidden install commands that pulled in harmful npm or bun packages, and both delivered the same kind of payload: an infostealer, which tries to steal saved credentials and browser data, and a rootkit, which hides itself deep in the system. The targets were developer credentials and secrets used in automated build pipelines. The main deliverable is a shell script that checks whether your machine has any of the affected packages installed. You make it executable and run it, with extra options for a full scan or for checking specific caches. There are two versions: the first is the reference version, and the second does the same job but scans logs much faster. The script can refresh its list of known-bad packages from an official Arch source, and it returns different exit codes depending on whether the system looks clean, has warnings, or shows signs of infection. The repository also includes the bundled package list, a file of indicators of compromise, the original community scripts kept for reference, a set of tests using fake package lists, and notes on the accounts involved in the attack. It is a focused, practical response to one event, meant to help Arch Linux users find out quickly whether they were affected.

Copy-paste prompts

Prompt 1
Explain what the atomic-lockfile AUR supply-chain attack was and how it spread.
Prompt 2
Walk me through running aur_check-v2.sh on my system and interpreting the exit codes.
Prompt 3
What is the difference between an infostealer and an eBPF rootkit, both mentioned in this README?
Prompt 4
Help me merge my own package list with this repo's detection script using custom_list_merge_aur_scan.sh.

Frequently asked questions

What is aur-malware-check?

A shell script toolkit that checks Arch Linux systems for packages compromised in the June 2026 AUR supply-chain attack.

What language is aur-malware-check written in?

Mainly Shell. The stack also includes Shell, Bash, Arch Linux.

Who is aur-malware-check for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.