kakerlakatzeis there like a script I can use to see if I have an infected AUR package that wasn't written with AI?
I found a txt file with all the infected packages and I seem to be safe but also what if this isn't actually the list
Piko Starsider 
@anarceus I just did:
grep atomic-lockfile ~/.cache/yay -R
Just in case, I also used one-liners to check against a list of known packages. I only had one, installed 2 months ago so I was clearly not affected.
@starsider so if anything pops up after this, I am affected?
@starsider because if so. Rip. Do I just go scorched earth on my entire OS now
@anarceus How frequently do you update AUR packages? Did you update them last week?
@starsider yep because I didn't learn what was going on on time and also (sobbing) hadn't updated in a while
@starsider not sure when exactly honesrly but I think the laptop was updated yesterday like an hour or so before I got the memo
@anarceus if it was after last friday, you're safe
@starsider at what point do I have to worry and is there a way I can check when I updated the PC? I'm sorry I'm kinda pestering you for this, I am somewhat shitting myself
find ~/.cache/yay -name PKGBUILD -printf '%T@ %Tc %p\n' | sort -n
@starsider The last 3 updates for the affected packages were 10th June, 6th June and 12th May :/ Rest was in December 2025
ETA: laptop's are 5th June 2026 and 9th Nov 2025, so I assume also... not good
@anarceus which packages were from the 10th? You're most likely all right.
Edit: Also if the grep atomic-lockfile didn't show anything I think you're good.
@starsider the grep atomic-lockfile did show two packages and those two packages were updates on the 10th. Update find command didn't really show anything for anything else, just those two packages. I think it's shijima-qt and shijima-qt-git (had weird desktop pet yearnings in december or so and then forgot abt it)
Same with the one laptop package, also showed on the grep atomic-lockfile and was updated on the 5th. The laptop one is accounts-qml-module, which is a bit strange since I also have that on my PC, but it didn't get flagged with the grep atomic-lockfile there
@anarceus Ouch... I'm sorry. You may have leaked your browser passwords, ssh keys, IM login tokens, stuff like that. Change all passwords in stuff that you care about. Enable 2FA in important stuff if you didn't already.
First you have to get rid of the backdoor, from a live USB. I guess the easiest is to just reinstall the system. You can preserve all your home but check ~/.config/systemd/user/ just in case.
@anarceus I just found this, it's full of up to date info on the incident, how to detect, what to do after infection.
@starsider thanks!!
@anarceus The only thing in home is a user systemd service, which would be in the path I mentioned earlier. If you didn't make a user service yourself it should be empty.
@starsider gotcha. By the way is my laptop also cooked? It also got a grep result and the last update was on the 5th, thoufh I did try to update and then abort around a similar time as I updated the PC. I know the PC is cooked but the laptop might be fine...?
@anarceus Use the scripts in the git repo which do a more thorough check.
@anarceus Run ./aur_check-v2.sh --full
@starsider I assume I need an internet connection for this. Eh, it's been fucked for the whole weekend already, might as well reconnect it and run the script. Do I have download it first? I assume I do, probably a silly question, just never done that befoee
@starsider Good thing I have no browser passwords I know of. I'm more concerned about my cookies. Since my paypal might be in there. I guess the silver lining ends with not using browser password saving.
I am mildly freaking out and not really able to wrap my head around this. How cooked am I and how successfully will nuking my OS unfuck me?
How do I get ssh keys? I only have used sshfs, does it just generate one automatically when I use that or when I generally just have ssh, and how bad is leaking them?
What should I look for in /.config/systemd/user/?
@starsider also note I've disconnected my affected PCs from the internet as of today. I have a debian server PC that was accessed per SSH, is this one fucked as well? I don't think it would be but I'm still worried
@anarceus If you log out in paypal the cookie should be invalidated. Nuking your OS is safe, as the virus doesn't seem to do much to install itself in home. Also I haven't read anything about it trying to infect other machines.
@starsider I guess if it logs me out automatically when I close the popup tabs when paying I should be alright there. Fuck this is gonna be so annoying
@anarceus If you're not using a password manager, I hope that you're not reusing the same passwords.
@starsider nah that should be fine, most accounts I use have proper key scramble made by keypass or gnome secrets, and even before I did make a new one for each account
Alexia 
@anarceus it's probably better to look for IOCs* than trying to check every package you have installed
check for new eBPF modules, for any systemd services that popped up recently in
*: indicators of compromise
check for new eBPF modules, for any systemd services that popped up recently in
/etc/systemd/system or $HOME/.config/systemd/user, I believe there was other IOCs as well*: indicators of compromise
Niko@niko I have no idea how to do that, I just did sudo pacman -Qm and then compared to the list of known infected packages
@anarceus when you're installing AUR packages you should be reviewing the PKGBUILDs at the very least for anything suspicious and that's 30 extra seconds with a half decent AUR helper that does that for you (i recommend
paru)@niko never done that before. Assume it's the diffs to show or something thingie on yay, when starting out on arch pretty much everyone told me there was no reason to not just click through haha.
Besides I'm more tech savvy than the average person but less tech savvy than literally any other tech savvy person. I don't think I could actually identify a suspicious pkgbuild anyway so it wouldn't have saved me here
I could NOW in our case because I know what the problem files look like but outside of that I'm just a critter mainly using cachyOS because it's easy and doesn't cause me problems in any other way lmao
@niko is there a way to check theough them in post? I updated after it happened because news didn't reach me quick enough unfortunately
@anarceus yeah it's those diffs that yay shows you
as for reviewing uhh given you're using yay it miiight store the PKGBUILDs in ~/.cache/yay or something similar? it seems like ls ~/.cache/yay/*/PKGBUILD should pull up all the PKGBUILDs
@niko I'll check once I'm home, thanks!!! Will also look through them when installing from now on lol, for whatever it's worth, though I'm still not sure I'll be able to recognise anything