AUR Compromised - Almost 2000 packages affected - 20260611

As recently discussed on the Arch Mailing list there appears to have been a large coordinated attack on the AUR some time within the last 24 hours that seems to have resulted in a rather sizable amount of packages being contaminated with malware.

This is a good reminder that the AUR is open, unofficial, user-produced, content.

The only secure way to use the Arch User Repository is by reviewing every PKGBUILD.

While efforts are now underway to clean out any problem packages there still exists the possibility that some users may have inadvertently downloaded some of these malicious sources.

Clarify

In case it needs to be stated plainly: the CachyOS repos are unaffected.
Using pacman or upgrading with it such as pacman -Syu would be safe.
This can only possibly apply to users who installed or upgraded any of the compromised packages from the AUR during the time of exploitation.

If unsure the following command will print any installed foreign packages:

pacman -Qm

If you do use foreign packages and want to check if any of them match the list of compromised packages then there are some various approaches, some of which are detailed below.

Scripted check

Out of an abundance of caution I have duplicated efforts elsewhere to have a checkup script and will update it if and as more packages are found to be affected.

You can run it remotely using the following commands.

BASH, others:

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)

FISH:

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

Unscripted check

If avoiding any kind of execution during this time is preferable then a companion simple text list is available.
It can be used manually or with the following one-liners to perform a simpler comparison.

BASH, others:

echo "Affected Packages Found:"; comm -12 <(pacman -Qq | sort) <(curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

FISH:

echo "Affected Packages Found:"; comm -12 (pacman -Qq | sort | psub) (curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort | psub) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

What to do if believed to be affected?

( as adapted from the original )

1. To inspect: Do not power off - Do disconnect - Use forensic acquisition with trusted media
2. Rotate ALL credentials: Discord, GitHub, npm, Slack, Teams, SSH keys, Vault tokens, cloud provider keys
3. Check for persistence: systemctl list-units --type=service --state=running (check for unknown services)
4. Check for eBPF rootkit: ls -la /sys/fs/bpf/hidden_*
5. Clean with trusted media: Boot from Cachy or other Arch ISO, mount filesystem, remove malicious systemd units
6. Consider wipe and reinstall: Any rootkit makes the system untrustworthy
7. Report novel findings: Aur-general - lists.archlinux.org

Information regarding the compromised AUR packages

Install anti malware software people!

also some big names on that list above

bash < (curl -s ``https://cscs.pastes.sh/raw/aurvulntest20260611.sh``)
fish: Invalid redirection target:
bash < (curl -s ``https://cscs.pastes.sh/raw/aurvulntest20260611.sh``)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

This wouldn’t work for me but " curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash " did

curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash
Checking for infected AUR packages (446 total)…

Clean: none of the known infected packages are installed.

thanks for the script

I use the good old brain.exe

Given that it has some random `` added to the front and back of the URL I would probably not expect it to.

But now I need to wonder - does it work if run as written?

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)

Not working either. Very possible my phone is doing some weird copy/paste stuff (remoted into my arch desktop to check as I try and put kids to sleep.

IMG_11901179×2556 417 KB

Fish thing maybe?

Edit: yeah. Fish thing. Changed prompt to bash and it worked.

IMG_11911179×2556 266 KB

indeed there is no shebang.

But does shemove? shemove?

Even if an accident still a little embarassing.

Anyways it should be fixed now.

( Thanks for pointing it out. )

Happens to the script you cloned this from as well. I guess that user from Reddit doesn’t use fish either.

Yes but I also re-wrote it to ensure no hidden glyphs and with some minor changes etc .. and I know to always have a shebang. I dropped it while recopying the array portion and since my shell is already bash I did not notice on tests.

Anyhoo its there now.

The script has been getting updates here and here.

( Some package additions and some tweaks so it is not so slow and actually checks if the packages were installed in the last 2 days, etc.. )

And since after checking fish myself and realizing that of course redirection just works differently there .. the pipe method has replaced it in the original post above.

A helpful command to remember for listing your non-native(foreign/AUR) packages in case you wanted to manually check the list of afflicted:

pacman -Qm

this worked for me, thanks

oh wow…

linux-cachyos-deckify-native
linux-cachyos-native
linux-cachyos-rc-native

Yeah,I know, this is not any official cachyos package, but still… spooky.

Yeah of course that does not mean the repository kernels or packages were in any way infected … unsure if editing the announcement to point it out in order to explain that would be more helpful or more harmful (panic).

More helpful. Better to give too much info and be accused of being too wordy then not enough and being accused to holding things back.

I get this…

─❯ bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)
fish: Invalid redirection target: 
bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh)
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
If you wish to use process substitution, consider the psub command, see: `help cmds/psub`
─❯

Me as well…

─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (475 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯

Yes, as it turns out fish does not recognize those kinds of redirects/command-substitutions.

Like .. you can .. but you need to add a special psub pipe to the end of each execution.

So something like the following would probably work;

bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

But it makes it unnecessarily longer with extra execution so I will stick to the single pipe to cover all bases while being succinct.

(It is in fact what I used to use as standard until replacing it with the first example you saw here.)

The OP has been edited to use the single pipe method for some hours now already.

─❯ bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

Checking for infected AUR packages (480 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯

Same result if I run this…

─❯ curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | bash

Checking for infected AUR packages (480 total)...

Clean: None of the known infected packages were installed within 48 hours of the campaign.
─❯

Both work with Fish. This: bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh) does not. So, 2 out of 3 ain’t bad.

EDIT:

Either way, I really appreciate this script. Thanks for sharing it @cscs!