nightdevil00/aur-malware — explained in plain English
Analysis updated 2026-05-18
Scan installed AUR packages against a list of over 1,900 known-infected packages.
Detect hidden processes and rootkit-style persistence like ld.so.preload injection.
Run continuous protection via a systemd timer with desktop notifications.
Get a PASS/WARN/FAIL report across thirteen distinct malware indicators.
| nightdevil00/aur-malware | spacepirate15/quantum-free-router | 3b1b/site_demo | |
|---|---|---|---|
| Stars | 28 | 28 | 27 |
| Language | Shell | Shell | Shell |
| Last pushed | — | — | 2021-04-10 |
| Maintenance | — | — | Dormant |
| Setup difficulty | easy | easy | easy |
| Complexity | 2/5 | 3/5 | 1/5 |
| Audience | ops devops | developer | general |
Figures from each repo's GitHub metadata at analysis time.
No installation required, can run standalone or as a systemd timer.
This repository contains a shell script that checks an Arch Linux computer for signs of a specific malware campaign called atomic-lockfile. The campaign spreads through AUR, the community-maintained software repository that Arch Linux users frequently use to install apps not found in the official package channels. If a malicious package slips in through that route, it can hide itself in ways the system does not flag on its own. The script runs thirteen separate checks in sequence. It compares every AUR package you have installed against a list of over 1,900 known-infected packages pulled from community-maintained remote sources. It also looks for subtler signs: processes that appear in the kernel's process table but are invisible to normal inspection tools (a common rootkit technique), suspicious entries in startup scripts, shared library injection via a file called ld.so.preload, and executables running from temporary folders where legitimate software rarely lives. Each check returns a PASS, WARN, or FAIL result. A FAIL, especially if the atomic-lockfile npm package is detected anywhere on the system, means the machine should be treated as fully compromised. The script's own guidance is blunt: back up your data, reinstall the OS from scratch, and rotate every credential you have used on that machine, including SSH keys, browser sessions, and any API tokens. You can run the script once with no installation, or set it up as a systemd timer that runs automatically at boot and every six hours after. It supports desktop notifications through standard notification tools so you can see alerts without opening a terminal. The infected-package list updates automatically each time the script runs, falling back to the bundled local copy if the network is unavailable.
A shell script that scans Arch Linux systems for signs of the atomic-lockfile AUR malware campaign.
Mainly Shell. The stack also includes Shell, systemd.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.