Nothing is stopping you from updating your system from the official repositories using
sudo pacman -Syu as usual. This only affected some of the AUR packages.
@cscs His non-excutable script is excellent. His .txt list tracking impacted packages is a critically important and valuable contribution to the broader Arch community.
The script worked perfectly fine on my side. Thank you very much for providing it. 
According to the script I fortunately had no affected packages installed. Hopefully there are no more packages added to the list 
Confirmed. The script can be seen as legit. At least the version I downloaded.
It may not work as well if you use wine. Better stick to /usr/bin/brain
A question related to the method of checking for AUR and other non official packages with pacman -Qm.
A package showing up there only means a packages is not part of the official repos right now, it does not mean it never was, right?
For example, I have a package show up with pacman -Qm, but I have never used anything other than the official repos that come with a fresh install of cachyOS, and I have never touched AUR on my own. (cachyOS is my first Arch distro and I keep it vanilla for the moment)
The package that shows up for me is jack 0.126.0-6, and it was installed as a dependency during a fresh install of cachyOS, and then got marked as foreign at a later date.
[2026-04-09T22:25:58+0200] [ALPM] installed jack (0.126.0-6)
[2026-06-05T13:04:36+0200] [ALPM-SCRIPTLET] foreign jack
So am I correct in that assumption, i.e something showing with pacman -Qm does not mean I got it from AUR.
So, -Qm shows āforeign packagesā, which is usually just the AUR but isnāt necessarily limited to it. However, those other foreign sources are very unlikely and it doesnāt sound like you would ever use them.
On the other hand, you did indeed get jack from the AUR. It was removed from the CachyOS native repositories, because it has been replaced by jack2. However, you likely ran an update script, like the one used in cachy-update which saw that you had jack installed and searched for a source to install it from and it fell back to the AUR. This would have shown up in the update output and you would have had to approve it.
You can quickly remedy this by replacing jack with jack2 from the native repo:
sudo pacman -Syu jack2
just means you canāt currently get it from configured repos.
I got it from the native repos during the fresh install I did on the 9th of April as far as I can tell, then It just sat there and, got marked as foreign on the 5th of June since it was dropped.
Anyhow, I will most likely replace it with pipewire-jack, since I use pipewire
Not at all. ClamAV is completely irrelevant to the vast majority of CachyOS users, and continually pushing this FUD agenda is frankly boring and pointless.
It has been explained in detail already, why do you continually ignore the facts?
This is a good strategy for the time being, unless youāre ready to inspect and compare the PKGBUILDS in detailā¦
Indeed, it would be a good idea to open a topic to discuss any AUR transactions you are not so sure about. The first step is to check basics, for example:
š¦ Name: paru
š Upstream URL: https://github.com/morganamilo/paru
š Votes: 1217
š Popularity: 37.47
š§© Version: 2.1.0-2
š¾ Size: 0 B
š Description: Feature packed AUR helper
š
First Submitted: 2020-10-19 00:43:50 (UTC)
š Last Updated: 2025-12-12 05:03:03 (UTC)
š Link: https://aur.archlinux.org/packages/paru
So you can see the āFirst Submittedā date, this is obviously about 6 years old, so itās not something created new for a recent attack.
You can also follow the links and look at the developer and some of their activity, history etc.
New developer? Then thatās not increasing our security ratingā¦ Letās see:
Well, 1217 votes is tempting, but votes can be fakedā¦ but 6 years is respectable, and on Github you can see insights as well as ISSUES
Finally, you can read the pkgbuild, where SOURCE URLās should point to an official repository (GitHub, GitLab and so onā¦) or trusted mirrors.
Avoid dodgy sources, and be very suspicious of custom download scripts.
That works too. And yeah, if it never required an update then the package just wouldāve sat there. I wrongly assumed that it had an update at some point.
What facts? Nothing but dumb anecdotes have come from you with no basis in reality or modern computing lol
No.
- The AUR incidents we see are Supply Chain Attacks, not virus infections. Perhaps you are unaware of this, yet you have been in this thread for quite a while.
- Attackers took over orphaned/abandoned PKGBUILDS
- They inserted a single line into the build script of many packages to call npm
- During installation, npm would fetch a package named āatomic-lockfileā.
atomic-lockfilecontains a credential-stealing malware that also has eBPF rootkit capablilities, allowing it to hide its activity.
ClamAV is also the wrong tool in general for a desktop Linux userā¦
ClamAV is purpose built for people running Servers, not desktops - for mail gateways and file servers, to scan incoming mail attachments and files for WINDOWS VIRUSES before they are passed on to Windows Clients.
ClamAV is practically unable to detect any modern Linux malware - it is a signature based tool.
Basically, telling CachyOS users to install it for their safety is like telling them to take a hot shower on a cold dayā¦
Theyāll feel warm for a while and then freeze to death.
Now stop with the FUD.
All of these are also falseā¦ Now what are your sources? or are you just barking like a dog?
Many other sources
Clam AV Almost Bricked My Computer | Linux.org
I need help installing ClamAV - #3 by tbg - Newbies - Garuda Linux Forum
Scanning with clamAV - #4 by Aragorn - Software & Applications - Manjaro Linux Forum
https://forums.linuxmint.com/viewtopic.php?t=418409&sid=a8f0b9f956b04318c90a4288746a6739&view=print
https://discuss.getsol.us/d/11625-anti-virus-or-anti-tamper/17
antivirus software needed - Linux & Unix
This is an Announcement thread, publicly visible, and it is not proper that you should troll the thread with off topic FUD.
If you would like to discuss the (de)merits of ClamAV, please open a different thread and do it there. Unfortunately, the damage has already been done to this thread, but Iāll still be reporting any other posts here about it as off-topic.
All personal anectodes and forum posts. Probably grabbed from Gronk 
have a blessed day
I tried to talk some sense into them some 8h ago, all to no avail. They seem oblivious to completely dominating the thread with this yes-but-no-but-yes flip-flop.
This thread was never organized or well moderated from the beginning. If it was the first message would have all required info, locked, amd updated when required. Instead, this amount of FUD and terrible outdated security advice is allowed to continue lol
Hereās an on-topic question for a change: I just saw epson-inkjet-printer-escpr2-clos-bin on the list, too. But neither in the initial commit nor in the single other commit, I see that Atomic Arch npm-based approach.
Could anyone tell me how to detect the maliciousness in this package?