kakerlakatzeis there like a script I can use to see if I have an infected AUR package that wasn't written with AI?
I found a txt file with all the infected packages and I seem to be safe but also what if this isn't actually the list
Piko Starsider 
@anarceus I just did:
grep atomic-lockfile ~/.cache/yay -R
Just in case, I also used one-liners to check against a list of known packages. I only had one, installed 2 months ago so I was clearly not affected.
@starsider so if anything pops up after this, I am affected?
@starsider because if so. Rip. Do I just go scorched earth on my entire OS now
@anarceus How frequently do you update AUR packages? Did you update them last week?
@starsider yep because I didn't learn what was going on on time and also (sobbing) hadn't updated in a while
@starsider not sure when exactly honesrly but I think the laptop was updated yesterday like an hour or so before I got the memo
@anarceus if it was after last friday, you're safe
@starsider at what point do I have to worry and is there a way I can check when I updated the PC? I'm sorry I'm kinda pestering you for this, I am somewhat shitting myself
find ~/.cache/yay -name PKGBUILD -printf '%T@ %Tc %p\n' | sort -n
@starsider The last 3 updates for the affected packages were 10th June, 6th June and 12th May :/ Rest was in December 2025
ETA: laptop's are 5th June 2026 and 9th Nov 2025, so I assume also... not good
@anarceus which packages were from the 10th? You're most likely all right.
Edit: Also if the grep atomic-lockfile didn't show anything I think you're good.
@starsider the grep atomic-lockfile did show two packages and those two packages were updates on the 10th. Update find command didn't really show anything for anything else, just those two packages. I think it's shijima-qt and shijima-qt-git (had weird desktop pet yearnings in december or so and then forgot abt it)
Same with the one laptop package, also showed on the grep atomic-lockfile and was updated on the 5th. The laptop one is accounts-qml-module, which is a bit strange since I also have that on my PC, but it didn't get flagged with the grep atomic-lockfile there
@anarceus Ouch... I'm sorry. You may have leaked your browser passwords, ssh keys, IM login tokens, stuff like that. Change all passwords in stuff that you care about. Enable 2FA in important stuff if you didn't already.
First you have to get rid of the backdoor, from a live USB. I guess the easiest is to just reinstall the system. You can preserve all your home but check ~/.config/systemd/user/ just in case.
@starsider Good thing I have no browser passwords I know of. I'm more concerned about my cookies. Since my paypal might be in there. I guess the silver lining ends with not using browser password saving.
I am mildly freaking out and not really able to wrap my head around this. How cooked am I and how successfully will nuking my OS unfuck me?
How do I get ssh keys? I only have used sshfs, does it just generate one automatically when I use that or when I generally just have ssh, and how bad is leaking them?
What should I look for in /.config/systemd/user/?
@starsider also note I've disconnected my affected PCs from the internet as of today. I have a debian server PC that was accessed per SSH, is this one fucked as well? I don't think it would be but I'm still worried