← Back to Product Feed

GitHub Open Source lenucksi/aur-malware-check

Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.

1,785
Traction Score
38
Forks
Jun 12, 2026
Launch Date
View Origin Link

Product Positioning & Context

Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.

Related Ecosystem & Alternatives

Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.

Deep-Dive FAQs

What is lenucksi/aur-malware-check?
lenucksi/aur-malware-check is a digital product or tool described as: Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.
Where did lenucksi/aur-malware-check originate?
Data for lenucksi/aur-malware-check was aggregated directly from the GitHub Open Source community ecosystem, representing raw developer and early-adopter sentiment.
When was lenucksi/aur-malware-check publicly launched?
The initial public indexing or launch date for lenucksi/aur-malware-check within our tracked developer communities was recorded on June 12, 2026.
How popular is lenucksi/aur-malware-check?
lenucksi/aur-malware-check has achieved measurable traction, logging over 1,785 traction score and facilitating 38 recorded discussions or engagements.
Are there active development issues for lenucksi/aur-malware-check?
Yes, we are currently tracking open architectural debates and bug reports for this project on GitHub. There are currently 5 active high-priority issues logged recently.
What are some commercial alternatives to lenucksi/aur-malware-check?
Our semantic intelligence engine identifies potential commercial alternatives in the SaaS space, such as Timbal AI, which offers overlapping value propositions.
How does the creator describe lenucksi/aur-malware-check?
The original author or development team describes the product as follows: "Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists."

Active Developer Issues (GitHub)

open new wave, see what csn be done
Logged: Jun 13, 2026
open Missing Packages
Logged: Jun 13, 2026
open AURSCAN: Scanning AUR packages using Claude LLM
Logged: Jun 13, 2026
open Consult and update as needed from the cachyos paste
Logged: Jun 12, 2026
open Partial package name matching resulting in false positives
Logged: Jun 12, 2026

Community Voice & Feedback

lenucksi • Jun 14, 2026
Looks like this is more of a discussion topic? I'll try to move it to the discussion section here. Also, thanks for the help @1mercdev
katanacrimson • Jun 14, 2026
Can confirm that it's fixed. Thank you! Closing.
1mercdev • Jun 14, 2026
if you want to make sure, the fix is to add "nextfile-js" to a new line in the ```malicious_npm_packages.txt``` file. It's the only thing that's not committed yet.
Generally speaking, I personally wouldn't recommend updating the system until everything is ensured to be sorted out.
CeramicPotato • Jun 14, 2026
does this commit still check for everything? I updated earlier like 5-6 hours ago thinking things were handled, saw this, and added this commit and got a clean result. just anxious now looking for answers
1mercdev • Jun 14, 2026
Yeah, what's coming out of this is just the attackers finding as many ways as possible to target the most machines.
After a quick research, I found the npm pkg link which seems to be this: https://www.npmjs.com/package/nextfile-js .
1mercdev • Jun 13, 2026
That's probably it, as the scan, without the --all-time flag, will not signal packages that were installed before June 9th. (using --all-time will likely flag the package, try it if you'd like)
You can see that in the first lines of the script the ```START_DATE``` variable is set to 06-09. Although this could be a good sign and may signify that your machine wasn't compromised (given no other scans flagged malware), I would still personally check out the PKGBUILD for that version and make sure it isn't altered.
LeventKaanOguz • Jun 13, 2026
I just checked and it seems like I had the PKGBUILD from 5th of June or something, which is before the suspicions. Maybe that was the reason that it got filtered? I have tried --full --refresh as well but it did not showed it again.
TheCraiggers • Jun 13, 2026
So it's no longer just an opportunistic attempt and is now an active, ongoing attack. :(
1mercdev • Jun 13, 2026
So "nextfile-js" is the new package name to scan for on compromised machines?
This makes it harder to detect them inside the .install files but it doesn't really compromise the scanner too much since packages are still logged in pacman and the bun cache.
1mercdev • Jun 13, 2026
The pkg "latex-mk" seems to be present inside both the HedgeDoc and the fallback package_list.txt.
I'm not entirely sure how your scan missed that but it might be because you haven't used the --refresh flag (and you have an outdated package_list.txt). Just clone the latest commit and go for a --full --refresh scan if you want to make sure.
The README.md inside this repo also provides instructions for when your system gets compromised. A clean install is usually recommended.
lenucksi • Jun 13, 2026
Thanks for the details. Take a look at 2.3.3 fixed it here when simulated against two packages that I do have and that do have a package and package-bin.
Please close if done.
barrybingo • Jun 13, 2026
Hi, I can reproduce this on v2.3.0. The issue is in check_current() in aur_check-v2.sh.

pacman -Qmq does substring/prefix matching, not exact matching. You can verify this directly:


$ pacman -Qmq jd-gui
jd-gui-bin

jd-gui is in package_list.txt as an infected package, but pacman -Qmq jd-gui returns jd-gui-bin (a legitimate Java decompiler). The script then calls pacman -Qi jd-gui-bin, which succeeds, and the package gets flagged as infected.
lenucksi • Jun 13, 2026
Hi @katanacrimson! Thanks for your report. I merged some PRs and tried to come up with some small/hacky tests for the package name matching. I could not reproduce this so far.
Can you please take a look at the more recent versions and the 'test script' to see if a) those address your concerns and b) if you can still reproduce it?

If you can still reproduce it, some more detailed pointers would be helpful.
lenucksi • Jun 13, 2026
We now have the hedgedoc liste direct download integrated as per #8.

I ran a comparison of the cachyos paste and the hedgedoc and found those to be only in cachyos:
adom-noteye, customizepkg-patching, ddgtk, linux-steam-integration,
lwan-git, lxqt-qt5ct, lynis-git, lyvi-git, lzham, mapcrafter-git,
meliora-openbox-themes, menu-cache-git, minder-git, mingw-w64-libtheora,
mkdocs-bootswatch, mojave-ct-icon-theme, mono-addins-git, mygnuhealth,
python2-pygments, python-gattlib, sjeng, skdet, snapshot-hib,
toggldesktop-bin

@simiscoool-afk could you try to add those to the 'official' hedgedoc paste please?
manticore-projects • Jun 13, 2026
> I have looked at the tool and its [prompt](https://github.com/manticore-projects/aurscan/blob/dbf6a0ae1aad757da425de59b9c4afd6d48c6833/internal/scan/prompt.go) .
> It's basically an LLM wrapper that checks for a list of red flags and then gives its opinion.

Thank you! You are right of course: the prompt shall evolve and improve and yes, all we get is an educated opinion. You are also right, that this is an arms race -- always have been, always will be.

Yet, this additional opinion and warning seems useful to me because I must be honest: I did NOT read all build scripts of all AUR packages I have installed. And I was not aware of those particular malwares.

So, if you have ideas for more sophisticated checks, please just shoot.

Discovery Source

GitHub Open Source GitHub Open Source

Aggregated via automated community intelligence tracking.

Tech Stack Dependencies

No direct open-source NPM package mentions detected in the product documentation.

Media Tractions & Mentions

No mainstream media stories specifically mentioning this product name have been intercepted yet.

Deep Research & Science

No direct peer-reviewed scientific literature matched with this product's architecture.