Here's an easy script to scan for compromised packages:

https://cscs.pastes.sh/aurvulntest20260611.sh

Not my script. It's easy to read/parse. Never pipe a script directly to bash.

▲ sph 6 hours ago | parent | next [-]

A quicker alternative:

  comm -1 -2 <(pacman -Qq | sort) <(curl -s https://gist.githubusercontent.com/quantenProjects/3f768dce7331618310f016d975bf8547/raw/beef579f8a8efeed6ccf60788e5b768775550095/packages | sort)

It's never a bad time to learn about comm(1).

▲ sva_ 6 hours ago | parent | prev | next [-]

It isn't guaranteed that the list is conclusive.

Always check PKGBUILD and sources, AUR is not to be trusted for the most part. I'm actually more surprised that such compromise hasn't happened earlier.

▲

dathinab 4 hours ago | parent | next [-]

> hasn't happened earlier.

it happens all the time

Just not always on this scale and doesn't always end up on HN.

Similar to how you don't see every npm supply chain attack or malicious github action or similar on HN.

In general you _have to_ manually review every PKGBUILD update by hand (by diff). Everything else is neglect IMHO. Luckily for most packages this is reasonably doable, IFF you trust the upstream sources they fetch from. (As in: Most packages are a small amount of glue between pacman and a upstream source.)

As consequence AUR packages with AUR dependencies are in general "uh..., lets not do it" cases for me, as on one hand the review overhead can be a pain and on the other hand it's easy to make a mistake overlooking a change in AUR dependencies.

Still the policy which allows relatively easy adoption of orphaned packages is IMHO a problem. A adoption should be treated as a new package which just happen to have the same name. (It can be fine to not have that if arch maintainers "bless" the adoption, but IMHO that would only matter for a view very widely used packages which are candidates to be included in the official repo but aren't for e.g. license reasons.)

	▲	porridgeraisin 3 hours ago \| parent [-]
		I have opencode review it for me. Works great. With the opencode-pty plugin it operates a terminal like a human would, runs yay, opens the pkgbuild in vim when yay asks it, reviews, etc etc. gives an `n` at the end cancelling the operation and gives me a report. I read that and then upgrade. For non-famous 3-4 aur packages I have, I have it read the code itself. It's enough to catch the non-jia-tan problems.

▲

datakan 5 hours ago | parent | prev | next [-]

> I'm actually more surprised that such compromise hasn't happened earlier.

This is like the 3rd or 4th time. It's been ongoing and persistent for the last 2 years with frequent AUR downtime as a result.

The AUR should be deprecated in its current state, simply can't be trusted and is a blemish on an otherwise great distro.

	▲	opan 2 hours ago \| parent [-]
		I have long thought that fewer things get properly packaged for Arch due to it having the AUR as a crutch. Stuff like Void and Guix will have packages that are only in the AUR for Arch.

▲

matheusmoreira 6 hours ago | parent | prev [-]

The Arch Wiki does note that malware has made it into the AUR several times before.

▲ jeroenhd 4 hours ago | parent | prev [-]

Note that pacman supports date locales; searching for '9 Jun' only works in English locales (or locales using similar formatting, I suppose).

After correcting, for me, it flagged "jd-gui", but I had actually installed "jd-gui-bin" about two hours before the compromise. As far as I can tell, I was lucky that I felt lazy that night and went for the -bin package instead of waiting for the source to be compiled.

	▲	zache6 4 hours ago \| parent [-]
		Same situation for me. "alvr-bin" instead of "alvr". I'm a week out of date too.