So they would completely vanish from the commit list? Excuse my stupid questions, I’m just trying to understand what’s going on.
As its VCS/GIT I suppose it would depend on exactly how the changes were reverted.
But at least from the earlier examples it appears that yes, they just disappear.
Take z-push as an example.. its on the list .. and had updates in the last few days .. but if you observe its history you will see nothing recent.
yeah the malicious stuff just goes poof from the commit list but (at least when I was poking around) the “last updated” date showed tbe date of the malicious commit.
Okay, thanks. That… actually makes me even more scared of AUR. When a script that previously just downloaded some official deb thing from Epson suddenly turns into a credential-stealing rootkit monster, I go: https://www.youtube.com/watch?v=qlO3m2zpNSA&t=597s
Npm or bun just randomly showing up isn’t exactly innocuous though…as long as you read the PKGBUILD
Some sort of reduction in freedom and increased ownership friction in the AUR is likely merited, especially given the prevalence of helpers
Just wanted to say thanks for the script checker.
I am not affected, but glad to know that the community is on top of this.
Apologies if this is covered elsewhere, but I have a machine that doesn’t have yay or paru on it, and as far as I’m aware has only ever been updated with pacman (correction: does have paru on it but I am sure it’s never been called by a user on the system). The only thing that may be from outside of it is steam native which I believe was installed via the cachyos package manager / clicking on install gaming packages in cachyos hello.
I recently ran pacman -Syuu to update packages and see that I have the libgdata package installed (pacman.log has a printed date of sometime in April — I guess that’s when it was last updated?); running the check script says it is affected. Should I clean install or is it likely from an official repo and just incorrectly coming up with -Qm? Is it fine because I only updated today and not during the 10-12 of June? It’s not a critical desktop with any saved credentials to my knowledge, so it’s likely not a huge deal, but I figure there may be others in a similar boat.
Edit: for what it’s worth, there is no atomic lock file, no bun, no js-digest, no npm/npx/pnpm/yarn/bun/bunx in pacman.log, but I don’t know if I should look elsewhere or if the malware cleans up anything.
what software of remote by phone
100%. This is top priority to handle this crisis with attention and show responsibility.
libgdata used to be provided by CachyOS (and Arch), but was removed from the repos.
That’s why it shows up in pacman -Qm. That command simply lists installed packages that are not found in the current version of remote repos, as configured in /etc/pacman.conf. It does not list packages sourced from AUR specifically. And, in fact, a package installed from AUR will not show up with pacman -Qm if a package with the same name exists in official repos.
You can verify whether your version was installed from CachyOS by running this:
pacman -Qi libgdata
It will likely report something along these lines:
Packager : CachyOS <admin@cachyos.org>
Build Date : ...
More crucial than the source is the build date, really. If it was built before June 9, it is likely safe.
Additionally, you can list all files installed by a package as follows, to see if anything looks sus:
pacman -Ql libgdata
Thanks for the speedy reply!
I think this was the issue. The note in the log shows that it was last updated in April, and it was removed with remove orphans button, and inspecting the log it wasn’t update on the pacman update run today. So I am quite confident I shouldn’t be affected. Thank you again for helping me through my paranoia a bit!
It’s not paranoia when the threat is real! Always good to double check 
You do have some foreign (AUR) packages.
And the first attempt at using the script did not work because you use fish shell.
But the fish invocation worked and found that none of your packages match the list.
You are OK. No need to worry.
PS.
Yes the number is yet larger.
I will probably update the thread title again if/when it hits 2K+ 
I think your script may have a weakness, based on conflating “foreign” (-m) with AUR.
The -m flag in pacman merely filters for package names which are not in the current local copy of configured repos (IE, were not in official repos as of the last sudo pacman -Sy[...]).
This is not synonymous with “were installed from AUR”.
As mentioned above, a package may well have been installed from AUR (or some other foreign source), but will NOT show up in pacman -Qm IF a package with the same name exists in official repos (or existed in official repos as of last sync).
For example:
INFECTED_PKGS includes python-hist.
python-hist is no longer available from official repos.
However, it was available from extra (aka official Arch repos) as recently as April or later.
If a user installed an infected python-hist from AUR, but has not run sudo pacman -Sy since April, python-hist will not show up in pacman -Qm, and therefore will not be date checked by your script due to the -m in this line:
done < <(pacman -Qmq "${INFECTED_PKGS[@]}" 2>/dev/null)
python-hist is just the first example I found. There may well be others which currently still have packages with matching names in official repos, so would behave the same even on a fully up-to-date system.
It would probably be better to remove the -m.
This may lead to more false positives, but should eliminate false negatives like this.
I think eliminating false negatives is more important than avoiding false positives in a situation like this. Also, the name + build date of the package is a stronger indicator than where it was installed from anyway, given many packages from official repos were just prebuilt versions of AUR packages, likely automated and with little to no manual inspection on every single update.
I installed one of the infected packages (alienfx) on the 12th, but I can’t find any references to npm, bun, atomic-lockfile, lock file.js, or js-digest in ~/.cache/paru. I also don’t have npm or bun installed on my system. Am I likely to be infected?
An edge case but yes still possible.
Agreed.
The look for ‘foreign’ specifically will have been removed by the time this is posted.
Also from the ‘scriptless’ one-liner instructs in OP.
This sounds like you may have installed it after it was found and cleaned.
But certainly take a hard look.
Taking a look at the mailing list it seems we can also pinpoint when that was;
So the 12th (depending on region I suppose) likely means it was clean.
Ok, then assuming the Arch mailing list is in UTC time, I should be fine. Thank you for the help.
It does - however, I would suggest that the announcements are retrospective, announced after the fixes at source are applied as a warning to anyone who might have applied updates recently.
Useful ideas - maybe make ONE snapshot at least a week old. But just think also - are you constantly exploring and installing new stuff? I know that I haven’t actually added anything new from AUR for a fair while, so now I just scan the PKGBUILDS during updates (also not done for a bit longer this week) for the terms of the current campaign.
Remember, it’s not paranoia, it’s just legitimate concern about our ignorance - but that doesn’t mean we’re not all out to get you.
