AUR Compromised - Almost 2000 packages affected - 20260611

Announcements
294

WARNING: 1 possibly infected package(s) found:

  • capt-src

Should i revome it?
I installed it on 11th Jun

295

Thanks for clarifying whatā€™s going on :slight_smile:

296

This script partially clears you.

Iā€™d suggest installing Traur to assist flagging up any potential issues as you update any AUR packages too.

Hereā€™s another one you can try:

git clone https://github.com/lenucksi/aur-malware-check.git
cd aur-malware-check
chmod +x aur_check.sh
./aur_check.sh --full

This includes an npm scanā€¦ output looks like this:

Summary 
============================================================
 AUR Malware Check v2.3.3
 Campaign: malicious npm packages (malicious_npm_packages.txt) infostealer + eBPF rootkit
 Date window: 2026-06-09 to 2026-06-12
 Packages checked: 1619
============================================================

--- [1] Currently installed foreign packages ---
  Clean: no infected packages installed within campaign window.

--- [2] Historical pacman logs ---
  Clean: no historical log matches found.

--- [3] Systemd persistence check ---
  Clean: no suspicious systemd services found.

--- [4] eBPF rootkit check ---
  Clean: no eBPF rootkit traces detected.

--- [5] npm cache check ---
  Clean: no malicious packages in npm cache.

--- [6] bun cache check ---
  Clean: no malicious packages in bun cache.

============================================================
 RESULT: CLEAN - No indicators found.
============================================================
297

The most critical risk is that you have an eBPF rootkit, and can survive if you remove that package.

For now, Iā€™d suggest your credentials are at high risk - any SSH keys, website passwords, API tokensā€¦

Personally I would get my USB out and do a clean install now, restore my backups and waste half a day getting it back up to scratch.

After that, monitor your accounts for suspicious activities?

298

oh wow now i need to run a .sh that i donā€™t trust to see if iā€™m infected, ok i guess.

299

Itā€™s all thereā€¦ public. Read the issues and comments.
The maintainer of the cachy paste updated it to pull from both the Arch list and this repo, as well as CSCS list.

301

i suck at using github, i get itā€™s legit but iā€™m such a scaredy-cat

302

ok, that should be it, right?

safu2?
safu2?979Ɨ569 93.9 KB

303

I am not sure that the eBPF check is sufficiently comprehensive. I am new to this too but the checked for files could be deleted after the rootkit runs, no?

And the rootkit could interfere with the resulting search?

304

Yeah i know but i donā€™t see any unusual activity from my account, i will reinstall it later because iā€™m too busy now

image
image506Ɨ325 20.1 KB

305

If you have a match, your information was possibly stolen whether there is a rootkit installed or not. The advice is to change all you passwords on every account you have.

306

@ducanh @Potente @Noemy-Amelie and all:

Guys, can we please stop screenshotting our terminals and come back to copy/ pasting the text instead and formatting it with the </> button?

I understand we are all a little in panic-mode at the moment, but please letā€™s try to stick to at least a little discipline here. Trying to ā€œreadā€ your screenshots on a phone is next to impossible, also it is much easier to copy/paste text from your output than having to type it manually.

Thanks.

.=======================================.
| Because text > image, dontcha know ;) |
.=======================================.
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *
308
Output... 
============================================================
 AUR Malware Check v2.3.3
 Campaign: malicious npm packages (malicious_npm_packages.txt) infostealer + eBPF rootkit
 Date window: 2026-06-09 to 2026-06-12
 Packages checked: 1619
============================================================

--- [1] Currently installed foreign packages ---
  Clean: no infected packages installed within campaign window.

--- [2] Historical pacman logs ---
  Clean: no historical log matches found.

============================================================
 RESULT: CLEAN - No indicators found.
============================================================

:light_bulb: You can create a function to do this in fishā€¦

Summary 
function copyshow
    $argv | tee /dev/tty | wl-copy
end

thenā€¦

funcsave copyshow

After that:

./aur_check-v2.sh --full | copyshow

ready to pasteā€¦

Otherwise, use Konsole - you can select/copy/paste easily too.

309

If Garuda has made Chaotic safer I appreciate that. If itā€™s safe enough remains to be seen considering that new and more sophisticated attacks (possibly AI-created) will happen - or are already happening.

I still think that nobody should use the AUR who is not able to read and understand PKGBUILDs.

310

Apologies for the potentially dumb question(still working my way through this thread) but despite me never intentionally grabbing any AUR packages it turns out I have some anyways after running pacman -Qm . Not everything in the output is on the list of affected packages but I have at least 3.

That being said, they all list CachyOS as the packager and the versions donā€™t match what I see on the AUR package list site so just to confirm, is it safe to assume Iā€™m in the clear and that the affected packages were probably installed as part of a system update?

311

List the packages. If something is dropped from CachyOS repos, then itā€™ll show up as AUR.

312

Sure,

  • clang19 : 19.1.7-1.1
  • compiler-rt19 : 19.1.7-1.1
  • lld19 : 19.1.7-2.1

I definitely have never knowingly downloaded these, given the packager name listed I just assumed it was part of a system update at some point.

313

Itā€™s an ā€˜entirely at your own riskā€™ scenario - I have no objection to EVERYONE using the AUR. I have major objections to people saying ā€˜WE SHOULD BE PROTECTEDā€™ - though some safeguards are being implementedā€¦

It isnā€™t and wasnā€™t ever supportedā€¦ and youā€™re free to do whatever you likeā€¦ as long as you accept that if you install your own malware suite, itā€™s your decision to do so.

Also, itā€™s really not too difficult to learn some basic forum formatting and construct a meaningful post asking others here to look over something before you go ahead and install.

Itā€™s hardly surprising you donā€™t know where they came from, theyā€™re definitely part of building - likely dependencies from something you did install.

The kernel is freuently compiled with the Clang compilerā€¦ during a system update or installing headers.

Clang19 and compiler-rt19 are part of Arch Linuxā€™s extra repositoryā€¦ which adds another layer as to why theyā€™re listed as foreign/AUR for you.

Do you have Chaotic enabled?

Are you sure you dindā€™t install them from AUR as a dependency for a build in the past?

pacman -Qi clang19 compiler-rt19 lld19

pactree -r clang19

pacman -Si clang19 compiler-rt19 lld19

For a quick cleanupā€¦

sudo pacman -Rns clang19 compiler-rt19 lld19

But donā€™t remove them if they are shown as required by the linux-cachyos kernelā€¦ hence the pactree check.

If theyā€™re part of Chaotic, then reinstall them from official sources to switch the sourceā€¦

314

I think the bigger problem for most people is not the installation process, but rather updating. If someone has multiple AUR packages installed (as I do) then updating can be a nightmare. The only safe way to update is to check what needs updating and then vetting each update. The common advice to beginners to ā€œjust run yay and everything gets updatedā€ is a big problem and a problem for lazy people like me.