kakerlakatzeis there like a script I can use to see if I have an infected AUR package that wasn't written with AI?
I found a txt file with all the infected packages and I seem to be safe but also what if this isn't actually the list
Piko Starsider 
@anarceus I just did:
grep atomic-lockfile ~/.cache/yay -R
Just in case, I also used one-liners to check against a list of known packages. I only had one, installed 2 months ago so I was clearly not affected.
@starsider so if anything pops up after this, I am affected?
@starsider because if so. Rip. Do I just go scorched earth on my entire OS now
@anarceus How frequently do you update AUR packages? Did you update them last week?
@starsider yep because I didn't learn what was going on on time and also (sobbing) hadn't updated in a while
@starsider not sure when exactly honesrly but I think the laptop was updated yesterday like an hour or so before I got the memo
@anarceus if it was after last friday, you're safe
@starsider at what point do I have to worry and is there a way I can check when I updated the PC? I'm sorry I'm kinda pestering you for this, I am somewhat shitting myself
find ~/.cache/yay -name PKGBUILD -printf '%T@ %Tc %p\n' | sort -n
@starsider The last 3 updates for the affected packages were 10th June, 6th June and 12th May :/ Rest was in December 2025
ETA: laptop's are 5th June 2026 and 9th Nov 2025, so I assume also... not good
@anarceus which packages were from the 10th? You're most likely all right.
Edit: Also if the grep atomic-lockfile didn't show anything I think you're good.
@starsider the grep atomic-lockfile did show two packages and those two packages were updates on the 10th. Update find command didn't really show anything for anything else, just those two packages. I think it's shijima-qt and shijima-qt-git (had weird desktop pet yearnings in december or so and then forgot abt it)
Same with the one laptop package, also showed on the grep atomic-lockfile and was updated on the 5th. The laptop one is accounts-qml-module, which is a bit strange since I also have that on my PC, but it didn't get flagged with the grep atomic-lockfile there
@anarceus Ouch... I'm sorry. You may have leaked your browser passwords, ssh keys, IM login tokens, stuff like that. Change all passwords in stuff that you care about. Enable 2FA in important stuff if you didn't already.
First you have to get rid of the backdoor, from a live USB. I guess the easiest is to just reinstall the system. You can preserve all your home but check ~/.config/systemd/user/ just in case.
@anarceus I just found this, it's full of up to date info on the incident, how to detect, what to do after infection.
@starsider thanks!!
@anarceus The only thing in home is a user systemd service, which would be in the path I mentioned earlier. If you didn't make a user service yourself it should be empty.
@starsider gotcha. By the way is my laptop also cooked? It also got a grep result and the last update was on the 5th, thoufh I did try to update and then abort around a similar time as I updated the PC. I know the PC is cooked but the laptop might be fine...?
@anarceus Use the scripts in the git repo which do a more thorough check.
@anarceus Run ./aur_check-v2.sh --full
@starsider I assume I need an internet connection for this. Eh, it's been fucked for the whole weekend already, might as well reconnect it and run the script. Do I have download it first? I assume I do, probably a silly question, just never done that befoee
@anarceus It doesn't use the internet. You can download it in another machine. It uses the .txt file in the same repo.
@starsider How do I run the script? the quick start just does ./aur_check-v2.sh but if I type that in it just gives me unknown command. Genuinely sorry for all the silly questions, I think I had run a script once yeeears ago but I cannot remember how I did it
@anarceus Download the files from the repo. Then drag and drop the file aur_check-v2.sh into the terminal, and then add a space and "--full" at the end. It would look something like this:
/full/path/to/the/file/aur_check-v2.sh --full
Edit: Add sudo before it:
sudo /.../aur_check-v2.sh --full
@starsider So I need all the files? does it matter where I save them to?
@anarceus You only need the .sh file and the two .txt files. You can download the whole repo as .zip with the green button on the top right. The .sh file needs to be executable, so if you save them to a pendrive you may have to move them to home first.
@starsider I reconnected to the internet to download it (bad move ik) and it's extracted in my downloads folder. Ran it a couple of times and it returns that my PC is clean. This feels too good to be true now I'm suspicious
@anarceus Perhaps you ran yay and downloaded the packages and maybe even it built them but the sudo prompt to install them timed out?
Check if the directory of the malicious packages have a recent .zst file. If so, check if it's also in pacman's cache /var/cache/pacman/pkg/
@starsider to the edit; the atomic lock file seems to be in the /pkg/ folder of these packs which it does not let me enter in dolphin. I've used ctrl + F to look for .zst and it doesn't find any (on PC and laptop).
I've tried using sudo ls ~/.cache/yay/shijima-qt/pkg/ doesn't show me anything either so I assume the folder is just empty and there is no .zst anywhere, or I'm doing it wrong.
@anarceus The .zst file would be at ~/.cache/yay/shijima-qt (without /pkg)
@starsider also big big big thank you for the patience and time and so sorry for like. Hogging you all day abt this. I hope I haven't been too frustrating, unfortunately I'm only an imposter tech person where I know more than the average person but less than literally everyone who touches computers intentionally