whatisgithub

What is aur-malware?

nightdevil00/aur-malware — explained in plain English

Analysis updated 2026-05-18

28ShellAudience · ops devopsComplexity · 2/5Setup · easy

In one sentence

A shell script that scans Arch Linux systems for signs of the atomic-lockfile AUR malware campaign.

Mindmap

mindmap
  root((AUR Malware Scanner))
    What it does
      Scans for atomic-lockfile malware
      Checks AUR packages
      Detects rootkit signs
    Tech stack
      Shell script
      systemd timer
    Use cases
      Audit installed AUR packages
      Detect hidden processes
      Monitor system automatically
    Audience
      Arch Linux users
      Security-conscious devs

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan installed AUR packages against a list of over 1,900 known-infected packages.

USE CASE 2

Detect hidden processes and rootkit-style persistence like ld.so.preload injection.

USE CASE 3

Run continuous protection via a systemd timer with desktop notifications.

USE CASE 4

Get a PASS/WARN/FAIL report across thirteen distinct malware indicators.

What is it built with?

Shellsystemd

How does it compare?

nightdevil00/aur-malwarespacepirate15/quantum-free-router3b1b/site_demo
Stars282827
LanguageShellShellShell
Last pushed2021-04-10
MaintenanceDormant
Setup difficultyeasyeasyeasy
Complexity2/53/51/5
Audienceops devopsdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

No installation required, can run standalone or as a systemd timer.

So what is it?

This repository contains a shell script that checks an Arch Linux computer for signs of a specific malware campaign called atomic-lockfile. The campaign spreads through AUR, the community-maintained software repository that Arch Linux users frequently use to install apps not found in the official package channels. If a malicious package slips in through that route, it can hide itself in ways the system does not flag on its own. The script runs thirteen separate checks in sequence. It compares every AUR package you have installed against a list of over 1,900 known-infected packages pulled from community-maintained remote sources. It also looks for subtler signs: processes that appear in the kernel's process table but are invisible to normal inspection tools (a common rootkit technique), suspicious entries in startup scripts, shared library injection via a file called ld.so.preload, and executables running from temporary folders where legitimate software rarely lives. Each check returns a PASS, WARN, or FAIL result. A FAIL, especially if the atomic-lockfile npm package is detected anywhere on the system, means the machine should be treated as fully compromised. The script's own guidance is blunt: back up your data, reinstall the OS from scratch, and rotate every credential you have used on that machine, including SSH keys, browser sessions, and any API tokens. You can run the script once with no installation, or set it up as a systemd timer that runs automatically at boot and every six hours after. It supports desktop notifications through standard notification tools so you can see alerts without opening a terminal. The infected-package list updates automatically each time the script runs, falling back to the bundled local copy if the network is unavailable.

Copy-paste prompts

Prompt 1
Explain what each of the thirteen checks in this script is looking for.
Prompt 2
Help me set up this script as a systemd timer that runs every six hours.
Prompt 3
What should I do if this script reports a FAIL result on my machine?
Prompt 4
Show me how the infected-package list is fetched and how the offline fallback works.

Frequently asked questions

What is aur-malware?

A shell script that scans Arch Linux systems for signs of the atomic-lockfile AUR malware campaign.

What language is aur-malware written in?

Mainly Shell. The stack also includes Shell, systemd.

How hard is aur-malware to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is aur-malware for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.