lenucksi/aur-malware-check
Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.
View Origin LinkProduct Positioning & Context
Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.
Related Ecosystem & Alternatives
Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.
Deep-Dive FAQs
What is lenucksi/aur-malware-check?
lenucksi/aur-malware-check is a digital product or tool described as: Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.
Where did lenucksi/aur-malware-check originate?
Data for lenucksi/aur-malware-check was aggregated directly from the GitHub Open Source community ecosystem, representing raw developer and early-adopter sentiment.
When was lenucksi/aur-malware-check publicly launched?
The initial public indexing or launch date for lenucksi/aur-malware-check within our tracked developer communities was recorded on June 12, 2026.
How popular is lenucksi/aur-malware-check?
lenucksi/aur-malware-check has achieved measurable traction, logging over 1,785 traction score and facilitating 38 recorded discussions or engagements.
Are there active development issues for lenucksi/aur-malware-check?
Yes, we are currently tracking open architectural debates and bug reports for this project on GitHub. There are currently 5 active high-priority issues logged recently.
What are some commercial alternatives to lenucksi/aur-malware-check?
Our semantic intelligence engine identifies potential commercial alternatives in the SaaS space, such as Timbal AI, which offers overlapping value propositions.
How does the creator describe lenucksi/aur-malware-check?
The original author or development team describes the product as follows: "Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists."
Active Developer Issues (GitHub)
Logged: Jun 13, 2026
Logged: Jun 13, 2026
Logged: Jun 13, 2026
Logged: Jun 12, 2026
Logged: Jun 12, 2026
Community Voice & Feedback
Looks like this is more of a discussion topic? I'll try to move it to the discussion section here. Also, thanks for the help @1mercdev
Can confirm that it's fixed. Thank you! Closing.
if you want to make sure, the fix is to add "nextfile-js" to a new line in the ```malicious_npm_packages.txt``` file. It's the only thing that's not committed yet.
Generally speaking, I personally wouldn't recommend updating the system until everything is ensured to be sorted out.
Generally speaking, I personally wouldn't recommend updating the system until everything is ensured to be sorted out.
does this commit still check for everything? I updated earlier like 5-6 hours ago thinking things were handled, saw this, and added this commit and got a clean result. just anxious now looking for answers
Yeah, what's coming out of this is just the attackers finding as many ways as possible to target the most machines.
After a quick research, I found the npm pkg link which seems to be this: https://www.npmjs.com/package/nextfile-js .
After a quick research, I found the npm pkg link which seems to be this: https://www.npmjs.com/package/nextfile-js .
That's probably it, as the scan, without the --all-time flag, will not signal packages that were installed before June 9th. (using --all-time will likely flag the package, try it if you'd like)
You can see that in the first lines of the script the ```START_DATE``` variable is set to 06-09. Although this could be a good sign and may signify that your machine wasn't compromised (given no other scans flagged malware), I would still personally check out the PKGBUILD for that version and make sure it isn't altered.
You can see that in the first lines of the script the ```START_DATE``` variable is set to 06-09. Although this could be a good sign and may signify that your machine wasn't compromised (given no other scans flagged malware), I would still personally check out the PKGBUILD for that version and make sure it isn't altered.
I just checked and it seems like I had the PKGBUILD from 5th of June or something, which is before the suspicions. Maybe that was the reason that it got filtered? I have tried --full --refresh as well but it did not showed it again.
So it's no longer just an opportunistic attempt and is now an active, ongoing attack. :(
So "nextfile-js" is the new package name to scan for on compromised machines?
This makes it harder to detect them inside the .install files but it doesn't really compromise the scanner too much since packages are still logged in pacman and the bun cache.
This makes it harder to detect them inside the .install files but it doesn't really compromise the scanner too much since packages are still logged in pacman and the bun cache.
The pkg "latex-mk" seems to be present inside both the HedgeDoc and the fallback package_list.txt.
I'm not entirely sure how your scan missed that but it might be because you haven't used the --refresh flag (and you have an outdated package_list.txt). Just clone the latest commit and go for a --full --refresh scan if you want to make sure.
The README.md inside this repo also provides instructions for when your system gets compromised. A clean install is usually recommended.
I'm not entirely sure how your scan missed that but it might be because you haven't used the --refresh flag (and you have an outdated package_list.txt). Just clone the latest commit and go for a --full --refresh scan if you want to make sure.
The README.md inside this repo also provides instructions for when your system gets compromised. A clean install is usually recommended.
Thanks for the details. Take a look at 2.3.3 fixed it here when simulated against two packages that I do have and that do have a package and package-bin.
Please close if done.
Please close if done.
Hi, I can reproduce this on v2.3.0. The issue is in check_current() in aur_check-v2.sh.
pacman -Qmq does substring/prefix matching, not exact matching. You can verify this directly:
$ pacman -Qmq jd-gui
jd-gui-bin
jd-gui is in package_list.txt as an infected package, but pacman -Qmq jd-gui returns jd-gui-bin (a legitimate Java decompiler). The script then calls pacman -Qi jd-gui-bin, which succeeds, and the package gets flagged as infected.
pacman -Qmq does substring/prefix matching, not exact matching. You can verify this directly:
$ pacman -Qmq jd-gui
jd-gui-bin
jd-gui is in package_list.txt as an infected package, but pacman -Qmq jd-gui returns jd-gui-bin (a legitimate Java decompiler). The script then calls pacman -Qi jd-gui-bin, which succeeds, and the package gets flagged as infected.
Hi @katanacrimson! Thanks for your report. I merged some PRs and tried to come up with some small/hacky tests for the package name matching. I could not reproduce this so far.
Can you please take a look at the more recent versions and the 'test script' to see if a) those address your concerns and b) if you can still reproduce it?
If you can still reproduce it, some more detailed pointers would be helpful.
Can you please take a look at the more recent versions and the 'test script' to see if a) those address your concerns and b) if you can still reproduce it?
If you can still reproduce it, some more detailed pointers would be helpful.
We now have the hedgedoc liste direct download integrated as per #8.
I ran a comparison of the cachyos paste and the hedgedoc and found those to be only in cachyos:
adom-noteye, customizepkg-patching, ddgtk, linux-steam-integration,
lwan-git, lxqt-qt5ct, lynis-git, lyvi-git, lzham, mapcrafter-git,
meliora-openbox-themes, menu-cache-git, minder-git, mingw-w64-libtheora,
mkdocs-bootswatch, mojave-ct-icon-theme, mono-addins-git, mygnuhealth,
python2-pygments, python-gattlib, sjeng, skdet, snapshot-hib,
toggldesktop-bin
@simiscoool-afk could you try to add those to the 'official' hedgedoc paste please?
I ran a comparison of the cachyos paste and the hedgedoc and found those to be only in cachyos:
adom-noteye, customizepkg-patching, ddgtk, linux-steam-integration,
lwan-git, lxqt-qt5ct, lynis-git, lyvi-git, lzham, mapcrafter-git,
meliora-openbox-themes, menu-cache-git, minder-git, mingw-w64-libtheora,
mkdocs-bootswatch, mojave-ct-icon-theme, mono-addins-git, mygnuhealth,
python2-pygments, python-gattlib, sjeng, skdet, snapshot-hib,
toggldesktop-bin
@simiscoool-afk could you try to add those to the 'official' hedgedoc paste please?
> I have looked at the tool and its [prompt](https://github.com/manticore-projects/aurscan/blob/dbf6a0ae1aad757da425de59b9c4afd6d48c6833/internal/scan/prompt.go) .
> It's basically an LLM wrapper that checks for a list of red flags and then gives its opinion.
Thank you! You are right of course: the prompt shall evolve and improve and yes, all we get is an educated opinion. You are also right, that this is an arms race -- always have been, always will be.
Yet, this additional opinion and warning seems useful to me because I must be honest: I did NOT read all build scripts of all AUR packages I have installed. And I was not aware of those particular malwares.
So, if you have ideas for more sophisticated checks, please just shoot.
> It's basically an LLM wrapper that checks for a list of red flags and then gives its opinion.
Thank you! You are right of course: the prompt shall evolve and improve and yes, all we get is an educated opinion. You are also right, that this is an arms race -- always have been, always will be.
Yet, this additional opinion and warning seems useful to me because I must be honest: I did NOT read all build scripts of all AUR packages I have installed. And I was not aware of those particular malwares.
So, if you have ideas for more sophisticated checks, please just shoot.
Discovery Source
GitHub Open Source Aggregated via automated community intelligence tracking.
Tech Stack Dependencies
No direct open-source NPM package mentions detected in the product documentation.
Media Tractions & Mentions
No mainstream media stories specifically mentioning this product name have been intercepted yet.
Deep Research & Science
No direct peer-reviewed scientific literature matched with this product's architecture.
SaaS Metrics