kakerlakatzeis there like a script I can use to see if I have an infected AUR package that wasn't written with AI?
I found a txt file with all the infected packages and I seem to be safe but also what if this isn't actually the list
Piko Starsider 
@anarceus I just did:
grep atomic-lockfile ~/.cache/yay -R
Just in case, I also used one-liners to check against a list of known packages. I only had one, installed 2 months ago so I was clearly not affected.
@starsider so if anything pops up after this, I am affected?
@starsider because if so. Rip. Do I just go scorched earth on my entire OS now
@anarceus How frequently do you update AUR packages? Did you update them last week?
@starsider yep because I didn't learn what was going on on time and also (sobbing) hadn't updated in a while
@starsider not sure when exactly honesrly but I think the laptop was updated yesterday like an hour or so before I got the memo
@anarceus if it was after last friday, you're safe
@starsider at what point do I have to worry and is there a way I can check when I updated the PC? I'm sorry I'm kinda pestering you for this, I am somewhat shitting myself
find ~/.cache/yay -name PKGBUILD -printf '%T@ %Tc %p\n' | sort -n
@starsider The last 3 updates for the affected packages were 10th June, 6th June and 12th May :/ Rest was in December 2025
ETA: laptop's are 5th June 2026 and 9th Nov 2025, so I assume also... not good
@anarceus which packages were from the 10th? You're most likely all right.
Edit: Also if the grep atomic-lockfile didn't show anything I think you're good.
@starsider the grep atomic-lockfile did show two packages and those two packages were updates on the 10th. Update find command didn't really show anything for anything else, just those two packages. I think it's shijima-qt and shijima-qt-git (had weird desktop pet yearnings in december or so and then forgot abt it)
Same with the one laptop package, also showed on the grep atomic-lockfile and was updated on the 5th. The laptop one is accounts-qml-module, which is a bit strange since I also have that on my PC, but it didn't get flagged with the grep atomic-lockfile there
@anarceus Ouch... I'm sorry. You may have leaked your browser passwords, ssh keys, IM login tokens, stuff like that. Change all passwords in stuff that you care about. Enable 2FA in important stuff if you didn't already.
First you have to get rid of the backdoor, from a live USB. I guess the easiest is to just reinstall the system. You can preserve all your home but check ~/.config/systemd/user/ just in case.
@anarceus I just found this, it's full of up to date info on the incident, how to detect, what to do after infection.
@starsider thanks!!
@anarceus The only thing in home is a user systemd service, which would be in the path I mentioned earlier. If you didn't make a user service yourself it should be empty.
@starsider gotcha. By the way is my laptop also cooked? It also got a grep result and the last update was on the 5th, thoufh I did try to update and then abort around a similar time as I updated the PC. I know the PC is cooked but the laptop might be fine...?
@anarceus Use the scripts in the git repo which do a more thorough check.
@anarceus Run ./aur_check-v2.sh --full
@starsider I assume I need an internet connection for this. Eh, it's been fucked for the whole weekend already, might as well reconnect it and run the script. Do I have download it first? I assume I do, probably a silly question, just never done that befoee
@anarceus It doesn't use the internet. You can download it in another machine. It uses the .txt file in the same repo.
@starsider How do I run the script? the quick start just does ./aur_check-v2.sh but if I type that in it just gives me unknown command. Genuinely sorry for all the silly questions, I think I had run a script once yeeears ago but I cannot remember how I did it
@anarceus Download the files from the repo. Then drag and drop the file aur_check-v2.sh into the terminal, and then add a space and "--full" at the end. It would look something like this:
/full/path/to/the/file/aur_check-v2.sh --full
Edit: Add sudo before it:
sudo /.../aur_check-v2.sh --full
@starsider So I need all the files? does it matter where I save them to?
@anarceus You only need the .sh file and the two .txt files. You can download the whole repo as .zip with the green button on the top right. The .sh file needs to be executable, so if you save them to a pendrive you may have to move them to home first.
@starsider I reconnected to the internet to download it (bad move ik) and it's extracted in my downloads folder. Ran it a couple of times and it returns that my PC is clean. This feels too good to be true now I'm suspicious
@anarceus Perhaps you ran yay and downloaded the packages and maybe even it built them but the sudo prompt to install them timed out?
Check if the directory of the malicious packages have a recent .zst file. If so, check if it's also in pacman's cache /var/cache/pacman/pkg/
@starsider I genuinely have no idea. I have vague memories that at one point I forgot I was updating and just turned my PC off for the night that must have been pretty recent, but that could also have been my laptop
So essentially if that's the case, what I'm gathering here is that I do have the infected files but they were never executed and are thus just. Fermenting ominously somewhere in the depths of my PC. And I'm not cooked but on thin fucking ice?
@anarceus If you didn't install them you're fine. Check the packages (check my message edits) and that way you can be sure you didn't install them. If you update AUR again, those packages would be rebuilt clean (or not touched at all since the version reverted to the old one).
@anarceus Ah if you find a recent .zst, the way to check if you installed it is to type
pacman -Q your-package-name-here
And you should see something like
your-package-name-here
v1.0.4.r101.g1a6de10-1
Check whether the version matches the .zst file name.
@starsider to the edit; the atomic lock file seems to be in the /pkg/ folder of these packs which it does not let me enter in dolphin. I've used ctrl + F to look for .zst and it doesn't find any (on PC and laptop).
I've tried using sudo ls ~/.cache/yay/shijima-qt/pkg/ doesn't show me anything either so I assume the folder is just empty and there is no .zst anywhere, or I'm doing it wrong.
@anarceus The .zst file would be at ~/.cache/yay/shijima-qt (without /pkg)
@starsider none there in either package on PC or on my laptop.
pacman doesn't have any .zst either on my PC, but there is one matching on my laptop, but it's not recent (dated to over a year ago in May 2025) EDIT: did pacman -Q and the laptop flagged file version matches the one named in the .zst file
this is good news? I think?
@anarceus yes, if the .zst is old and it's the one you have installed, you're good
@starsider this feels. Too good to be true. Saved by probably ADHD. Should I -Rm the lockfiles (I didn't actually go through with that amidst the stress)? Acrually I'm probably gonna remove the shijima packages alltogether.
Is updating safe now or should I stick to pacman updates and ignore yay for the near future?
Thank you so so much again for sticking with me through this
@starsider also big big big thank you for the patience and time and so sorry for like. Hogging you all day abt this. I hope I haven't been too frustrating, unfortunately I'm only an imposter tech person where I know more than the average person but less than literally everyone who touches computers intentionally
@starsider Good thing I have no browser passwords I know of. I'm more concerned about my cookies. Since my paypal might be in there. I guess the silver lining ends with not using browser password saving.
I am mildly freaking out and not really able to wrap my head around this. How cooked am I and how successfully will nuking my OS unfuck me?
How do I get ssh keys? I only have used sshfs, does it just generate one automatically when I use that or when I generally just have ssh, and how bad is leaking them?
What should I look for in /.config/systemd/user/?
@starsider also note I've disconnected my affected PCs from the internet as of today. I have a debian server PC that was accessed per SSH, is this one fucked as well? I don't think it would be but I'm still worried
@anarceus If you log out in paypal the cookie should be invalidated. Nuking your OS is safe, as the virus doesn't seem to do much to install itself in home. Also I haven't read anything about it trying to infect other machines.
@starsider I guess if it logs me out automatically when I close the popup tabs when paying I should be alright there. Fuck this is gonna be so annoying
@anarceus If you're not using a password manager, I hope that you're not reusing the same passwords.
@starsider nah that should be fine, most accounts I use have proper key scramble made by keypass or gnome secrets, and even before I did make a new one for each account