More info here: https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577
Everyone should check and make sure you don’t have one of these installed.
updated version: https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14
https://github.com/lenucksi/aur-malware-check
https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992
As always, don’t execute random scripts before checking them.
Oh fun. I had one of the packages installed, but not an infected version, and I hadn’t updated it during the window.
Feels like a great reminder to keep a clean minimal system. Why I was keeping vidcutter installed and up to date when the last time I ran it was probably years ago.
I thought for sure I had a few of them since some of the packages looked familiar but everything came out clean. Hopefully it stays that way.
My last update to vidcutter was from 2025 (based on my pacman logs). Some tools will scan for “did you install the bad package during the bad time period” and some will scan for “is the bad package name installed at all” - so i was able to identify that vidcutter was installed and I knew that the package names looking familiar made sense, and I was able to manually confirm that I was still clean. And now I have a lot of system pruning to do.
But if you thing some packages look familiar, it might be worth double checking.
Yeah I looked for them manually before coming across the scripts. I’ve been pretty careful with the aur and always check the comments on any new package I’m thinking of installing. Also I’ve gotten into the habit of checking the pkgbuilds after switching to paru from yay.
“No way to prevent this” says only distribution where this regularly happens
