AUR Compromised - Almost 2000 packages affected - 20260611

kindofabuzz · June 13, 2026, 12:29am

@cscs You made it to Michael Tunnel’s channel!
https://youtu.be/LunA3n_cRvU?si=NY4TEz5c8ZLedQWH&t=101

kindofabuzz · June 13, 2026, 12:33am

You’re fine. Just know what you are doing if using the AUR. If you have no idea, don’t use it. Have a look at this: https://youtu.be/LunA3n_cRvU?si=PUd9IXumzZhPo81g

lflf-droid · June 13, 2026, 12:58am

I would kindly suggest this ‘check up script’ in the OP be deleted, even though it’s intended as a helpful contribution by a community leader. It’s now propagating across various sites and finding its ways into LLMs (Gemini). It encourages various Arch and Arch-downstream communities to adopt a very poor security practice of running an unverified downloadable executable script to check if people have unintentionally run unverified downloadable executable scripts that compromised their systems. Oh, the irony. Instead, run the non-executable script provided. Here is a modified non-executable script that adds the number of matches, if any, and the total number of compromised packages in the list. This allows you to re-run it from terminal and see if the list is growing or shrinking, so you know if this attack is evolving:

local=$(pacman -Qqm | sort); curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt -o /tmp/aur.txt; remote=$(sort /tmp/aur.txt); m=$(comm -12 <(echo "$local") <(echo "$remote")); echo "Installed AUR packages flagged: $(echo "$m" | sed '/^\s*$/d' | wc -l)"; [ -n "$m" ] && echo "$m" || echo "None detected."; echo "Total packages in vulnerability list: $(wc -l < /tmp/aur.txt)"

Korozein · June 13, 2026, 1:18am

so as long as I didn’t do any AUR install I should be safe? or are cachyos package manager is also affected?

Noemy-Amelie · June 13, 2026, 1:22am

❯ bash <(curl -s https://cscs.pastes.sh/raw/aurvulntest20260611.sh | psub)

Checking for infected AUR packages (1588 total)…

Clean: None of the known infected packages were installed within 2 days of the campaign.

~

Cina · June 13, 2026, 1:27am

Apps from cachy repos should be free of this attack because the exploit used orphaned packages and claimed them. that is much more difficult to do when the packages in question are actively being maintained and owned, and not subject to automated claimship. always review the pkgbuild when installing non-cachy stuff.

Korozein · June 13, 2026, 1:28am

I see, thank you, i pretty much never installed anything from AUR since I first started using Linux/Cachyos last year since I keep hearing it unsafe, and in my current install I should have nothing from it

Cina · June 13, 2026, 1:29am

You can run pacman -Qm to check if there are any.

Korozein · June 13, 2026, 1:30am

if there nothing it should return nothing right?

Cina · June 13, 2026, 1:33am

Correct. It will show no results if there are none installed. If there are any, the tools shown earlier in this thread show how to check against the list of known-affected packages so next steps can be taken

Korozein · June 13, 2026, 1:34am

in that I should be safe, since I got nothing…

Thank you for the follow up!

lflf-droid · June 13, 2026, 1:35am

This will do a proper check of your system against the infected list and provide a clear output that is safe to run (not executable):

local=$(pacman -Qqm | sort); curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt -o /tmp/aur.txt; remote=$(sort /tmp/aur.txt); m=$(comm -12 <(echo "$local") <(echo "$remote")); echo "Installed AUR packages flagged: $(echo "$m" | sed '/^\s*$/d' | wc -l)"; [ -n "$m" ] && echo "$m" || echo "None detected."; echo "Total packages in vulnerability list: $(wc -l < /tmp/aur.txt)"

Steeledpick · June 13, 2026, 3:03am

Thanks CSCS , Just heard about this today.

jon · June 13, 2026, 3:39am

Can you rewrite it so we can just paste and run in the fish shell?

cscs · June 13, 2026, 4:01am

One is already provided at the top.

cscs:

BASH, others:

echo "Affected Packages Found:"; comm -12 <(pacman -Qqm | sort) <(curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

FISH:

echo "Affected Packages Found:"; comm -12 (pacman -Qqm | sort | psub) (curl -s https://cscs.pastes.sh/raw/aurvulnlist20260611.txt | sort | psub) | { read -r l && printf '%s\n' "$l" || echo "None. No known compromised packages are installed."; }

The main difference the previous posters alternative offers is the counting.

But I thought one of the main intentions around the non-scripted version was that it would be easily digestible/legible even by less experienced users so the OP has been intentionally kept relatively simple.

uKsu · June 13, 2026, 4:02am

Thanks for all the information. I appreciate it.

johnblaze00 · June 13, 2026, 8:04am

There needs to be a proper official response to this on a more official channel and maybe a note on the main cachy page. From an actual OS dev

the communication around this is terrible. The people pointing out “getting people to run a random bash script forked from a Reddit post on a forum” which to be fair wasn’t even tested properly initially shouldn’t be the only response to this.

“Cachy isn’t arch or maintains aur”. Doesn’t matter. Cachy uses it and its names is being used everywhere to talk about this.

Nix · June 13, 2026, 8:16am

Thank you so much for the infos and the script for checking the packages! “None of the known infected packages were installed within 2 days of the campaign”

Animus · June 13, 2026, 8:18am

A question regarding this AUR issue:
I went directly back to a snap before 8.6.2026. On top it seems that I have not installed any of the compromised packages. Is going back to an older snap basically enough IF I WOULD have been infected? Thank you admins for you excellent work here!