The “Atomic Arch” campaign compromised over 1,500 AUR packages between June 10-12, targeting SSH keys and API tokens. If you updated via yay or paru during that window, you need to audit your local system.
I’ve built a client-side tool to help with this.
Local Processing: Your package list never leaves your browser. All comparisons are done client-side.
Live Data: It fetches the verified malicious list directly from the official Arch servers (md.archlinux.org) to ensure it’s always current. Zero Bloat: No trackers, no ads, no cookies. How to use:
- Run pacman -Qm
- Paste the output into the tool
The script in the top post of this thread does a better job, since it actually checks when you have upgraded the affected packages: https://discuss.cachyos.org/t/aur-compromised-1500-packages-affected-20260611/31040
There’s also an even more thorough https://github.com/lenucksi/aur-malware-check
Those are solid resources but I built mine specifically for the folks who don’t want to pipe a remote bash script into their shell during a malware outbreak. My goal was simple, a private way to audit the list without needing to clone a repo or install Python dependencies.
Use the forensics scripts if you’re a power user, but if you just want a quick, client-side check that doesn’t touch your filesystem, that’s what the tool is there for.
The aur-malware-check script is amazing. Thank god for the community and Open Source.