aur-malware-check

aur-malware-check scans your Arch Linux system for traces of the June 2026 AUR supply-chain attack, the one that compromised over 1,600 packages in the Arch User Repository. It checks your installed packages against the known-bad lists and hunts for the attack's fingerprints: systemd persistence, eBPF rootkit traces, and poisoned npm and bun caches. The scripts are tuned to run in a second or two and return exit codes you can wire into automation.

There's nothing to host. You download the scripts and run them, and they tell you whether your machine shows signs of compromise. For a security tool this is about as low-friction as it gets, which matters when you need an answer fast and you're worried your box is already infected.

Arch users who installed AUR packages during the attack window are exactly who needs this, right now. If you don't run Arch or never touch the AUR, it's not for you. This is a targeted response to a specific incident, not a general antivirus, and that focus is its strength: it knows exactly what to look for.

The catch: it's incident-specific community scripts with no formal license and no warranty, the author says as much. A clean result is reassuring but not a guarantee, and a positive result means you've got real cleanup ahead. Use it as a fast first check, then verify anything it flags before you trust the machine again.