AUR Compromised - 1500+ packages affected - 20260611

cscs · June 12, 2026, 12:12am

As recently discussed on the Arch Mailing list there appears to have been a large coordinated attack on the AUR some time within the last 24 hours that seems to have resulted in a rather sizable amount of packages being contaminated with malware.

This is a good reminder that the AUR is open, unofficial, user-produced, content.

The only secure way to use the Arch User Repository is by reviewing every PKGBUILD.

While efforts are now underway to clean out any problem packages there still exists the possibility that some users may have inadvertently downloaded some of these malicious sources.

In case it needs to be stated plainly: the CachyOS repos are unaffected.
This can only possibly apply to users who installed or upgraded any of the compromised packages from the AUR during the time of exploitation.

If unsure the following command will print any installed foreign packages:

pacman -Qm

If you do use foreign packages and want to check if any of them match the list of compromised packages then there are some various approaches, some of which are detailed below.

Out of an abundance of caution I have duplicated efforts elsewhere to have a checkup script and will update it if and as more packages are found to be affected.

You can run it remotely using the following commands.

BASH, others:

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)

FISH:

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

If avoiding any kind of execution during this time is preferable then a companion simple text list is available.
It can be used manually or with the following one-liners to perform a simpler comparison.

BASH, others:

echo "Affected Packages Found:"; comm -12 <(pacman -Qq | sort) <(curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

FISH:

echo "Affected Packages Found:"; comm -12 (pacman -Qq | sort | psub) (curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort | psub) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

Sunda-Spirit · June 12, 2026, 12:20am

Information regarding the compromised AUR packages

johnblaze00 · June 12, 2026, 12:33am

Install anti malware software people!

also some big names on that list above

johnblaze00 · June 12, 2026, 12:39am

bash < (curl -s ``https://cscs.pastes.sh/raw/aurvulntest20260611.sh``)
fish: Invalid redirection target:
bash < (curl -s ``https://cscs.pastes.sh/raw/aurvulntest20260611.sh``)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

This wouldn’t work for me but " curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash " did

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (446 total)…

Clean: none of the known infected packages are installed.

thanks for the script

Sunda-Spirit · June 12, 2026, 12:45am

I use the good old brain.exe

cscs · June 12, 2026, 12:45am

Given that it has some random `` added to the front and back of the URL I would probably not expect it to.

But now I need to wonder - does it work if run as written?

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)

johnblaze00 · June 12, 2026, 12:49am

Not working either. Very possible my phone is doing some weird copy/paste stuff (remoted into my arch desktop to check as I try and put kids to sleep.

Fish thing maybe?

Edit: yeah. Fish thing. Changed prompt to bash and it worked.

mattsteg · June 12, 2026, 12:57am

indeed there is no shebang.

johnblaze00 · June 12, 2026, 1:00am

But does shemove? shemove?

cscs · June 12, 2026, 1:02am

Even if an accident still a little embarassing.

Anyways it should be fixed now.

( Thanks for pointing it out. )

johnblaze00 · June 12, 2026, 1:15am

Happens to the script you cloned this from as well. I guess that user from Reddit doesn’t use fish either.

cscs · June 12, 2026, 1:23am

Yes but I also re-wrote it to ensure no hidden glyphs and with some minor changes etc .. and I know to always have a shebang. I dropped it while recopying the array portion and since my shell is already bash I did not notice on tests.

Anyhoo its there now.

The script has been getting updates here and here.

( Some package additions and some tweaks so it is not so slow and actually checks if the packages were installed in the last 2 days, etc.. )

And since after checking fish myself and realizing that of course redirection just works differently there .. the pipe method has replaced it in the original post above.

Dirge · June 12, 2026, 2:06am

A helpful command to remember for listing your non-native(foreign/AUR) packages in case you wanted to manually check the list of afflicted:

pacman -Qm

Derp_Derpington · June 12, 2026, 2:46am

this worked for me, thanks

HardCode4All · June 12, 2026, 4:45am

oh wow…

linux-cachyos-deckify-native
linux-cachyos-native
linux-cachyos-rc-native

Yeah,I know, this is not any official cachyos package, but still… spooky.

cscs · June 12, 2026, 4:48am

Yeah of course that does not mean the repository kernels or packages were in any way infected … unsure if editing the announcement to point it out in order to explain that would be more helpful or more harmful (panic).

johnblaze00 · June 12, 2026, 5:08am

More helpful. Better to give too much info and be accused of being too wordy then not enough and being accused to holding things back.

Uncle_Spellbinder · June 12, 2026, 5:11am

I get this…

─❯ bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)
fish: Invalid redirection target: 
bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
If you wish to use process substitution, consider the psub command, see: `help cmds/psub`
─❯

Me as well…

─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (475 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯

cscs · June 12, 2026, 5:30am

Yes, as it turns out fish does not recognize those kinds of redirects/command-substitutions.

Like .. you can .. but you need to add a special psub pipe to the end of each execution.

So something like the following would probably work;

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

But it makes it unnecessarily longer with extra execution so I will stick to the single pipe to cover all bases while being succinct.

(It is in fact what I used to use as standard until replacing it with the first example you saw here.)

The OP has been edited to use the single pipe method for some hours now already.

Uncle_Spellbinder · June 12, 2026, 5:36am

─❯ bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

Checking for infected AUR packages (480 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯

Same result if I run this…

─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (480 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯

Both work with Fish. This: bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh) does not. So, 2 out of 3 ain’t bad.

EDIT:

Either way, I really appreciate this script. Thanks for sharing it @cscs!