I understand you are trying to push a more secure set of standard operating procedures.
And as far as that goes I would agree.
But to take it further and simply declare the method itself as inherently bad just because it can be abused by adversarial control that I would probably not agree with.
Every instance you show of this being an issue relies on something being provided by a malicious actor - whether thats typosquatting (IE- wrong address, incorrect execution) or the supplier of the script nefariously showing one example in the browser and another to a shell. None of which applies, for example, to a script you yourself control.
If you did not blindly use the aur - and specifically any of the problem packages during the campaigns .. then there should not be much related to this thread to be afraid about.
The team.
Here and on github when the issue has been raised.
Is this weaponized âconfusionâ an attempt at trolling?
No one said bins are special in that they are immune to anything .. I simply point out their prevalence because they are the ones commonly adopted. And I am of the belief also that they offer little value being in the repos exactly because they are bins - users getting them from the AUR arent compiling them so they dont save anything.
Due to the current influx of malicious packages uploaded to AUR
registration of new accounts is currently disabled while we are working
on the cleanup.
Thanks for your understanding.
Cheers,
artafinde on behalf of Dev Ops of Archlinux
15 Jun 2026 11:01 a.m.
I think he is very panicked like many others. And Iâm think he doesnât know, how bins and self compiled packages work.
@mihalycsaba A good knowledged PC user should know, that bins are pre-compiled - they are like Windowsâ EXE files. They can contain malware for sure but I think will be kicked out by AURâs anti-malware system (if the have one). PKGBUILDS are not pre-compiled and must be compiled by your machine. These âscriptsâ can be compromised to insert malicious code. These bad guys additionally used legit sources like npmjs.com to load that malicious code. So I think it makes it harder for malware detection.
In this AI era, you are able to learn faster and more efficient (particularly you prohibit the AI to hallucinate). But in case of IT hallucination isnât really necessary because IT follows hard rules. But you also simply can use a search engine of your choice to learn something about pre-build packages and PKGs. Itâs better than getting crazy.
Keep in mind: Nothing is 100% secure! Launchpad was already compromised in the past and also Linux Mint was hacked to spread malicious ISOs. And there was also a case of malicious Flatpacks. The biggest security breach is human!
Iâm also a bit worried if I been infected or not and run the script if there where new packages found. But I use big projects and they are 99% safe. And when you avoiding very old packages, you are also safe! I bet the AUR team works hard to clean this mess but it also needs a new security system to avoid such things in future.
This is why the biggest security upgrade is an educated human! Trust not to AI or randos on the internet, learn how things work and then youâre the last line of defense, fellow users.
AI is in some cases more helpful than randos - for my experience. To demonize AI is also the wrong way because it is mostly trained by educated humans and has access to many reading material in any case. But thatâs the wrong place to discuss here about AI and every person has its own point of view. But keep in mind that a medal has always two sites.
The most what we have to do now and what the AUR team now do was already told.
I know how -bins and PKGBUILDs work, you can hide malicious stuff in bin packages too. Itâs not the first time in this thread that -bin packages were separately mentioned, once they were mentioned like they were safer than compiled ones and I was annoyed, because I asked like 3 times about the update process before someone finally linked something.
Right now looks like someone manually approves every update to every package from the AUR. That seems like a lot of work, I donât know how many packages are there, but I wouldnât be surprised if itâs a few hundred at least.
I still think it would be good to have separate repo for the AUR packages, because right now you have to check on the package page to see if itâs from the AUR. Also apparently there are people who only use pacman and donât get anything with AUR helpers.
I agree, itâs just another tool in the tool box. Its like people telling you not to use a power screwdriver because you have better control with the hand held one. I use both.
@mattsteg Why you laughing? If you not know how to personalized your AI youâre a loser. Every AI can be personalized! Tell it stop hallucinating and it do it. Iâve used and tested many AIs and if you not believe it, itâs your problem.
And when you think the way you do at this moment, you should stop using any kind of technology and become an Amish. Almost everything is made of âgrubby little handsâ - also your clothes! If you donât know how to use things FOR YOU, youâre simply lost at all!
As Kornnugget said: AI is just a tool in a toolbox. If you donât know how to use it right, just let it in the box and donât blame it for your failing or learn how to use it right.
People that demonize AI are dumb and also people that hype AI over all!
Not the place to be discussing the efficacy of AI chat bots. Please take it somewhere else.
If it comes up in the context of informing or helping people with any questions or difficulties that have arisen from this whole deal, then by all means, but this most certainly isnât that.
âŚand another thread that goes completely off the road over time. Guys, really, is it so hard to stick to a topic or open another thread to discuss something else?
aur-malware-check.sh -h
Usage: /home/user/bin/aur-malware-check.sh [OPTIONS]
Options:
--check-systemd Scan for unknown systemd services (Restart=always)
--check-ebpf Check for eBPF rootkit traces (/sys/fs/bpf/hidden_*)
--check-npm-cache Check npm cache for packages listed in malicious_npm_packages.txt
--check-bun-cache Check bun cache for packages listed in malicious_npm_packages.txt
--check-pkgbuild Scan AUR helper caches for obfuscated malicious commands in PKGBUILD/install files
--full Enable all checks
--refresh Download the latest package list before scanning
--verbose, -v, --debug Verbose output (--debug also enables set -x)
--log-file=PATH Write full detail log to PATH (auto: aur-check-<date>.log)
--package-list=PATH Custom infected AUR package list (default: ./package_list.txt)
--malicious-npm-list=PATH Custom malicious npm package name list (default: ./malicious_npm_packages.txt)
--all-time Disable recency window â flag any installed infected
package regardless of install date (for cross-campaign checks)
--no-notify Suppress the desktop notification on detection
--help, -h Show this help
