kakerlakatzeis there like a script I can use to see if I have an infected AUR package that wasn't written with AI?
I found a txt file with all the infected packages and I seem to be safe but also what if this isn't actually the list
Piko Starsider 
@anarceus I just did:
grep atomic-lockfile ~/.cache/yay -R
Just in case, I also used one-liners to check against a list of known packages. I only had one, installed 2 months ago so I was clearly not affected.
@starsider so if anything pops up after this, I am affected?
@starsider because if so. Rip. Do I just go scorched earth on my entire OS now
@anarceus How frequently do you update AUR packages? Did you update them last week?
@starsider yep because I didn't learn what was going on on time and also (sobbing) hadn't updated in a while
@starsider not sure when exactly honesrly but I think the laptop was updated yesterday like an hour or so before I got the memo
@anarceus if it was after last friday, you're safe
@starsider at what point do I have to worry and is there a way I can check when I updated the PC? I'm sorry I'm kinda pestering you for this, I am somewhat shitting myself
find ~/.cache/yay -name PKGBUILD -printf '%T@ %Tc %p\n' | sort -n
@starsider The last 3 updates for the affected packages were 10th June, 6th June and 12th May :/ Rest was in December 2025
ETA: laptop's are 5th June 2026 and 9th Nov 2025, so I assume also... not good
@anarceus which packages were from the 10th? You're most likely all right.
Edit: Also if the grep atomic-lockfile didn't show anything I think you're good.
@starsider the grep atomic-lockfile did show two packages and those two packages were updates on the 10th. Update find command didn't really show anything for anything else, just those two packages. I think it's shijima-qt and shijima-qt-git (had weird desktop pet yearnings in december or so and then forgot abt it)
Same with the one laptop package, also showed on the grep atomic-lockfile and was updated on the 5th. The laptop one is accounts-qml-module, which is a bit strange since I also have that on my PC, but it didn't get flagged with the grep atomic-lockfile there
@anarceus Ouch... I'm sorry. You may have leaked your browser passwords, ssh keys, IM login tokens, stuff like that. Change all passwords in stuff that you care about. Enable 2FA in important stuff if you didn't already.
First you have to get rid of the backdoor, from a live USB. I guess the easiest is to just reinstall the system. You can preserve all your home but check ~/.config/systemd/user/ just in case.
@anarceus I just found this, it's full of up to date info on the incident, how to detect, what to do after infection.
@starsider thanks!!
@anarceus The only thing in home is a user systemd service, which would be in the path I mentioned earlier. If you didn't make a user service yourself it should be empty.
@starsider gotcha. By the way is my laptop also cooked? It also got a grep result and the last update was on the 5th, thoufh I did try to update and then abort around a similar time as I updated the PC. I know the PC is cooked but the laptop might be fine...?
@anarceus Use the scripts in the git repo which do a more thorough check.
@anarceus Run ./aur_check-v2.sh --full
@starsider I assume I need an internet connection for this. Eh, it's been fucked for the whole weekend already, might as well reconnect it and run the script. Do I have download it first? I assume I do, probably a silly question, just never done that befoee
@anarceus It doesn't use the internet. You can download it in another machine. It uses the .txt file in the same repo.
@starsider How do I run the script? the quick start just does ./aur_check-v2.sh but if I type that in it just gives me unknown command. Genuinely sorry for all the silly questions, I think I had run a script once yeeears ago but I cannot remember how I did it
@anarceus Download the files from the repo. Then drag and drop the file aur_check-v2.sh into the terminal, and then add a space and "--full" at the end. It would look something like this:
/full/path/to/the/file/aur_check-v2.sh --full
Edit: Add sudo before it:
sudo /.../aur_check-v2.sh --full
@starsider So I need all the files? does it matter where I save them to?
@anarceus You only need the .sh file and the two .txt files. You can download the whole repo as .zip with the green button on the top right. The .sh file needs to be executable, so if you save them to a pendrive you may have to move them to home first.
@starsider I reconnected to the internet to download it (bad move ik) and it's extracted in my downloads folder. Ran it a couple of times and it returns that my PC is clean. This feels too good to be true now I'm suspicious
@anarceus Perhaps you ran yay and downloaded the packages and maybe even it built them but the sudo prompt to install them timed out?
Check if the directory of the malicious packages have a recent .zst file. If so, check if it's also in pacman's cache /var/cache/pacman/pkg/
@starsider to the edit; the atomic lock file seems to be in the /pkg/ folder of these packs which it does not let me enter in dolphin. I've used ctrl + F to look for .zst and it doesn't find any (on PC and laptop).
I've tried using sudo ls ~/.cache/yay/shijima-qt/pkg/ doesn't show me anything either so I assume the folder is just empty and there is no .zst anywhere, or I'm doing it wrong.
@anarceus The .zst file would be at ~/.cache/yay/shijima-qt (without /pkg)
@starsider none there in either package on PC or on my laptop.
pacman doesn't have any .zst either on my PC, but there is one matching on my laptop, but it's not recent (dated to over a year ago in May 2025) EDIT: did pacman -Q and the laptop flagged file version matches the one named in the .zst file
this is good news? I think?
@anarceus yes, if the .zst is old and it's the one you have installed, you're good
@starsider this feels. Too good to be true. Saved by probably ADHD. Should I -Rm the lockfiles (I didn't actually go through with that amidst the stress)? Acrually I'm probably gonna remove the shijima packages alltogether.
Is updating safe now or should I stick to pacman updates and ignore yay for the near future?
Thank you so so much again for sticking with me through this
@anarceus You can delete anything in yay's cache. I think updating AUR should be safer now (with better policies for adopting a package etc), but it doesn't hurt to see the changes in the PKGBUILD when yay asks. Most of the time it's just changing the URL and the hash of downloaded files, and if you suspect of other changes you can delay that update for a few days to make sure the change is legit.
Edit: Oops when you delete yay's cache, the diffs are just all additions. Maybe just delete binary files (like .zst and .tgz) and subdirectories.
@starsider gotcha!! I think I'll still stick to pacman for the next couple days or weeks till this blows over and hope nothing on yay's side breaks.
I will be removing shijima-qt as well as the lockfile on my laptop.
Thanks so much again!
@anarceus I edited the message
@starsider yknow now that I've calmed down I think I might have been silly the entire time. For some reason when I do the find command it broadcasts the supposedly infected packages found by the grep, however checking the files listed it is just accounts-qml-module which was updated on the 10th and didn't get a flag on the grep.
I tried deleting the shijima packages and turns out I don't have them either...? They're just in the cache? Which is normal but they pop up for grep atomic-lockfile ~/.cache/yay -R
so I'm a bit confused about that but whatever, my PC is clean. I can probably just delete the cache folders I guess.
This was so much stress lol