Detection and analysis tools for the atomic-lockfile supply-chain attack on the Arch User Repository (AUR).

This is a collection of all the scattered resources, especially the ones in the detection scripts Gist - they made this, I just collected this to a repo so I have it all in one place and possibly people could put up PR's instead of Gist links across multiple posts. Certainly see the source section for details on the sources!

1600+ AUR packages compromised by attackers who injected npm install atomic-lockfile, bun install js-digest, or lockfile-js into PKGBUILD/install files. Two attack waves:

1. atomic-lockfile / lockfile-js (npm) — accounts krisztinavarga, franziskaweber, tobiaswesterburg, ellenmyklebust; arojas (impersonated legitimate maintainer — see Impersonation Clarification)
2. js-digest (bun) — accounts custodiatovar, veramagalhaes

Both deliver an infostealer and eBPF rootkit targeting developer credentials, browser data, and CI/CD secrets.

# Check if you have any infected packages
chmod +x aur_check.sh
./aur_check.sh

# Full scan with all optional checks
./aur_check.sh --full

# Check bun cache specifically (for js-digest / atomic-lockfile)
./aur_check.sh --check-bun-cache

# Safe one-liner (from quantenProjects) - just compare installed vs infected list
comm -1 -2 <(pacman -Qq | sort) <(curl -s https://raw.githubusercontent.com/YOUR/aur-malware-check/main/package_list.txt | sort)

# Faster alternative (v2) – optimized log scanning (~150x faster for large logs)
./aur_check-v2.sh

# Cross-campaign: scan all installed packages regardless of install date
./aur_check-v2.sh --all-time

# Merge multiple lists (HedgeDoc + historical + custom) and scan
./custom_list_merge_aur_scan.sh -l ./historical_packages.txt

# Merge custom lists and disable date window for cross-campaign scan
./custom_list_merge_aur_scan.sh -l ./historical_packages.txt -- --all-time

# Refresh the package list from the official Arch Linux HedgeDoc, then scan
./aur_check-v2.sh --refresh --full

# Use custom package lists (also settable via env vars):
#   PACKAGE_LIST_FILE=./my_list.txt
#   MALICIOUS_NPM_LIST=./my_npm.txt
./aur_check-v2.sh --package-list=my_list.txt --malicious-npm-list=my_npm.txt

A consolidated detection script combining the best features from all community forks:

Two versions are maintained — v2 is optimized but functionally identical:

v2 verified against v1 by static analysis: 8/10 risk categories NONE, 2/10 LOW (theoretical edge cases only, no real inputs affected). Use v2 for speed; v1 retained as reference for completeness.

• 0: Clean - no indicators found
• 1: Warnings (log scan issues, missing files)
• 2: Infected packages or artifacts detected

aur-malware-check/
├── README.md              # This file
├── aur_check.sh           # v1: Consolidated detection script (sed+grep log scanner)
├── aur_check-v2.sh        # v2: Optimized log scanner (bash regex + O(1) hash lookup)
├── package_list.txt              # bundled compromised packages, same as --refresh one as of 6/17/26. (1619 via `--refresh`)
├── malicious_npm_packages.txt    # Malicious npm package names for cache checks
├── iocs.txt                      # Indicators of Compromise
├── CHANGELOG.md           # Version history
├── sources/               # Original community scripts
│   ├── 01_kidev_original.sh
│   ├── 02_briancarnold_fork.sh
│   ├── 03_kacper-kondracki_fork.sh
│   └── 04_quantenprojects_list.txt
├── fetches/               # Raw fetched content (for verification)
├── SOURCES.md             # Numbered, sectioned source references
├── at_risk_accounts.json  # All identified attacker/monitoring accounts with status
├── tests/
│   ├── run_matching_tests.sh           # Matching test runner
│   ├── fake_package_lists/             # Fake infected AUR package lists for tests
│   └── fake_npm_lists/                 # Fake malicious npm package name lists for tests
└── subagent-reports/      # Extracted subagent analysis reports

This analysis aggregates information from the following sources:

• June 9-12, 2026: Malicious commits pushed to 408+ AUR packages
• June 11: First report on aur-general mailing list (Kusoneko about alvr)
• June 11: Andre Herbst discovers scope by grepping AUR git mirror
• June 11: ioctl.fail publishes technical analysis
• June 12: Community detection scripts published; AUR maintainers cleaning up
• June 12: David Runge clarifies arojas was impersonated via git commit forgery, not a malicious maintainer
• June 12, 17:33: Jonathan Grotelüschen posts HedgeDoc with updated affected package list
• June 13: New monitoring accounts identified (ivonahruskova, simongeisler); proposals for commit hash tracking, AUR read-only, and LLM-based scanning discussed
• June 13: PR #8 (drbbgh) merged — --refresh flag for live HedgeDoc package list
• June 13: PR #7 (liphiwolf) merged — lockfile-js detection, expanded package list

1. Attacker used commit forgery to impersonate maintainer arojas (see Impersonation Clarification below)
2. Took over orphaned AUR packages via the forged identity
3. Injected npm install atomic-lockfile or npm install lockfile-js into .install and .hook files
4. The npm packages atomic-lockfile@1.4.2 / lockfile-js contained a preinstall hook executing ./src/hooks/deps
5. The ELF binary deps (SHA256: 6144D4...) is a Rust-based credential stealer

1. Additional attacker accounts custodiatovar and veramagalhaes took over orphaned packages
2. Injected bun install js-digest into PKGBUILD/.install files (same NPM publisher herbsobering)
3. The npm package js-digest contained an embedded ELF payload (SHA256: 7883BD...)
4. Affected packages include guiscrcpy, netmon-git, inadyn-mt, nodejs-elm, keepassx2, and 26+ more

• Credential theft: Discord tokens, GitHub PATs, npm tokens, Slack sessions, Teams/M365 sessions, SSH keys, Vault tokens, Docker/Podman credentials, browser cookies
• Data exfiltration: Uploads to temp.sh, C2 via Tor onion service
• Persistence: systemd services (root or user mode) with Restart=always
• eBPF rootkit: When run as root with CAP_BPF, hides processes, files, and socket inodes
• Cryptominer staging: References /usr/bin/monero-wallet-gui for potential crypto mining payload

1. Preserve the system: Do not power off - use forensic acquisition with trusted media
2. Rotate ALL credentials: Discord, GitHub, npm, Slack, Teams, SSH keys, Vault tokens, cloud provider keys
3. Check for persistence: systemctl list-units --type=service --state=running (check for unknown services)
4. Check for eBPF rootkit: ls -la /sys/fs/bpf/hidden_*
5. Clean with trusted media: Boot from Arch ISO, mount filesystem, remove malicious systemd units
6. Consider reinstallation: The rootkit makes the system untrustworthy
7. Report findings: https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/

Community tools - no warranty. Use at your own risk.