Arch Linux 5d ago

Active AUR malicious packages incident

https://archlinux.org/news/active-aur-malicious-packages-incident/

#ArchLinux #Linux

Arch Linux - News: Active AUR malicious packages incident

Show threadZuru (he/him)
@archlinux Thanks for letting us know. It would be good to have a live malicious package list to check on our side if a package was already installed. 👀
Jun 13 at 10:58amWeb
Show threadMatt Mascarenhas3d ago

@zuru @archlinux Yeah, in case you're still looking, there's this collection of info here: https://github.com/lenucksi/aur-malware-check

I didn't actually pull all this and run aur_check-v2.sh, myself, but just ran the one-liner `comm` command given in this gist: https://gist.github.com/quantenProjects/3f768dce7331618310f016d975bf8547

That threw up one package for me, gdl, installed last year, built by @heftig so evidently from the days when it was in the main repos and also depended upon by another package.

GitHub - lenucksi/aur-malware-check: Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.

Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists. - lenucksi/aur-malware-check

GitHub
Show threadZuru (he/him)3d ago
@miblo @archlinux @heftig Thanks a lot! At the end I checked manually, but that repo looks very useful and I was about to turn on another PC that uses Manjaro, so I'll be checking it. 🙏
Show threadMatt Mascarenhas3d ago

@zuru @archlinux @heftig You're welcome! Nice one checking manually.

Yeah, just after replying, I spotted the gist only accounts for that first 480 packages. But we can simply swap out the curl URL for https://raw.githubusercontent.com/lenucksi/aur-malware-check/refs/heads/master/package_list.txt to get the current ~1600 long list.