{"slug": "checks-pacman-logs-for-infected-aur-packages", "title": "Checks pacman logs for infected aur packages", "summary": "A developer has released a script that checks pacman logs for packages potentially compromised in the June 11, 2025 AUR exploitation. The tool scans for hundreds of infected package names, including 123pan-bin, 1code, and 8192eu-dkms-git, by cross-referencing installation logs against a known list of malicious AUR packages. The script builds upon earlier detection work to help Arch Linux users identify any compromised software on their systems.", "body_md": "| #!/usr/bin/env bash | |\n| # | |\n| # A quick-and-easy check for possibly impacted packages | |\n| # of the 20260611 AUR exploitation | |\n| # | |\n| # Forked+updated from, and credit to, the original: | |\n| # https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992 | |\n| # | |\n| # <3 cscs <3 | |\n| # | |\n| # Kacper Kondracki: | |\n| # I ran the aurvulntest through ai slop to also implement checking pacman logs | |\n| INFECTED_PKGS=( | |\n| 123pan-bin | |\n| 1code | |\n| 8192eu-dkms-git | |\n| actual-ai | |\n| adblock2privoxy | |\n| aion-git | |\n| albion-online-launcher-bin | |\n| alienfx | |\n| alvr | |\n| android-signapk | |\n| android-signapk-gui | |\n| android-support-repository | |\n| annobin | |\n| ansible-language-server | |\n| antfs-cli-git | |\n| anythingllm-appimage | |\n| anythingllm-cli-bin | |\n| apk-installer-gui | |\n| apm_planner-bin | |\n| apothem | |\n| apple-music-desktop | |\n| arch-update-vai | |\n| archjh | |\n| archlinux-themes-slim | |\n| archmage | |\n| archtex-git | |\n| arm-linux-gnueabihf-binutils | |\n| artanis-git | |\n| astro-editor-appimage | |\n| autohand-cli | |\n| autolabel | |\n| autologin | |\n| azurlaneautoscript | |\n| bcachefs-kernel-dkms-git | |\n| beebeep | |\n| bitcoin-core-git | |\n| blinkenlib | |\n| blueproximity-py3-git | |\n| booklore | |\n| brow6el | |\n| brow6el-git | |\n| canon-pixma-mg3000-complete-fixed | |\n| cartridge-cli | |\n| ccase-bin | |\n| ccl-git | |\n| cgminer | |\n| charcoal | |\n| cinny-desktop-system-tray | |\n| clai | |\n| clang19 | |\n| clash-mi | |\n| cling-git | |\n| cmuclmtk | |\n| cnijfilter-common | |\n| codenomad-bin | |\n| codeql-cli-bin | |\n| cogpit-bin | |\n| colorhug-client | |\n| colorz | |\n| compiler-rt19 | |\n| compizconfig-python | |\n| coolreader | |\n| cowdancer | |\n| cutefish-calculator | |\n| cutefish-core | |\n| cutefish-dock | |\n| cutefish-filemanager | |\n| cutefish-icons | |\n| cutefish-launcher | |\n| cutefish-qt-plugins | |\n| cutefish-screenlocker | |\n| cutefish-screenshot | |\n| cutefish-settings | |\n| cutefish-statusbar | |\n| cutefish-wallpapers | |\n| cvs-feature-bin | |\n| cynthiune.app | |\n| dagu-bin | |\n| datatype99 | |\n| deheader | |\n| dep | |\n| dh-python | |\n| difi | |\n| difi-bin | |\n| doctoc | |\n| dots-hyprland-fork-git | |\n| dvdrip | |\n| dyad-bin | |\n| easy_spice | |\n| edconv-bin | |\n| efiboots-git | |\n| electrum-nmc | |\n| elmerfem | |\n| eisl | |\n| epson-inkjet-printer-escpr2-clos-bin | |\n| exodus-wallet-bin | |\n| exoduswallet | |\n| farmmod-hub | |\n| fastoggenc | |\n| fastjet | |\n| fatx | |\n| fcitx5-pinyin-sougou-dict-git | |\n| ffmpeg-bitrate-stats | |\n| ffmpeg-quality-metrics | |\n| findpkg-git | |\n| firefox-extension-adnauseam-bin-amo | |\n| firmium-desktop-git | |\n| fishui | |\n| fishui-git | |\n| flashfocus | |\n| flexiblas | |\n| flynarwhal | |\n| fmlib | |\n| forgecode-bin | |\n| formidable-bin | |\n| frame | |\n| ftl | |\n| frutool | |\n| futhark-bin | |\n| gdl | |\n| gdlmm | |\n| git-annex-standalone | |\n| gnome-contacts-git | |\n| gnome-randr-rust | |\n| gnutls3.8.9 | |\n| gopher2600 | |\n| gopher2600-bin | |\n| gosh | |\n| gpx-viewer | |\n| graveman | |\n| green-tunnel-bin | |\n| greetd-wlgreet-git | |\n| gtkimageview | |\n| guile-reader | |\n| gummy | |\n| gummy-git | |\n| hackmatrix-git | |\n| harmony-wad | |\n| headphones | |\n| hearthstone-linux-gui-appimage | |\n| hearthstone-linux-gui-bin | |\n| hepmc2 | |\n| hister-git | |\n| hnswlib-git | |\n| horst | |\n| hydownloader-git | |\n| hydrus-git | |\n| i3bar-river | |\n| ianny-bin | |\n| ibm-sw-tpm2 | |\n| ihaskell-git | |\n| imageglass | |\n| inadyn | |\n| indicator-session | |\n| infnoise-openssl-git | |\n| interface99 | |\n| ios-webkit-debug-proxy | |\n| ipfs-desktop-bin | |\n| ipsw | |\n| iron-heart-git | |\n| jasp-desktop | |\n| jd-gui | |\n| k3sup | |\n| kdb | |\n| kddockwidgets-git | |\n| kexi | |\n| kiss | |\n| ktea | |\n| kookbook | |\n| kproperty | |\n| kreport | |\n| latex-digsig | |\n| lazylpsolverlibs-git | |\n| ledger-udev-bin | |\n| lesstif | |\n| lib32-egl-wayland | |\n| libafterimage | |\n| libbobcat | |\n| libcutefish | |\n| libffi-static | |\n| libgdata | |\n| libjxl-noglycin | |\n| libquvi | |\n| libquvi-scripts | |\n| libretro-hatari-enhanced-git | |\n| libxdiff | |\n| libxml-ruby | |\n| libyami | |\n| linux-cachyos-deckify-native | |\n| linux-cachyos-deckify-native-headers | |\n| linux-cachyos-native | |\n| linux-cachyos-native-headers | |\n| linux-cachyos-native-nvidia-open | |\n| linux-cachyos-rc-native | |\n| linux-cachyos-rc-native-headers | |\n| linux-cachyos-rc-native-nvidia-open | |\n| linux-tool | |\n| liri-cmake-shared-git | |\n| lite | |\n| lll | |\n| llvm-cbe-git | |\n| lowfi-bin | |\n| \"ls++\" | |\n| lucidvideo | |\n| m5rcode | |\n| magpie-wm | |\n| mako-center-git | |\n| manuskript | |\n| maszyna-git | |\n| mathsat-5 | |\n| matrixbrandy | |\n| mcp-probe | |\n| mcpatcher | |\n| mermaid-ascii-git | |\n| mermark-editor | |\n| mesa-dlss-reflex-git | |\n| meteo | |\n| mimic-node-git | |\n| mingw-w64-geos | |\n| mingw-w64-libsndfile | |\n| minimax-bin-hardened | |\n| minitube | |\n| misuzu-music-bin | |\n| mono-addins | |\n| monochrome | |\n| monochrome-git | |\n| moor-git | |\n| mount-gtk | |\n| mopen | |\n| n1-translator | |\n| naemon | |\n| naemon-livestatus | |\n| natapp | |\n| nebuchadnezzar-git | |\n| neovim-autopairs-git | |\n| neovim-nvim-treesitter | |\n| nerf-pi | |\n| neuro-karaoke-wrapper-git | |\n| new-api-privacy-filter | |\n| new-api-privacy-filter-git | |\n| nextcloud-app-audioplayer | |\n| nextcloud-app-facerecognition | |\n| nextcloud-app-gpoddersync | |\n| nextcloud-app-integration-google | |\n| nextcloud-app-repod | |\n| nextcloud-app-twofactor-gateway | |\n| nextcloud-git | |\n| nexus-bin | |\n| nginx-mod-vts | |\n| nhentai-git | |\n| nocodb | |\n| noctyra-dotfiles-git | |\n| noctyra-meta-git | |\n| \"notepad---bin\" | |\n| nox-bin | |\n| nrpe | |\n| nwchem-bin | |\n| ob-xd | |\n| octocode | |\n| opencode-codebase-index-bin | |\n| openui5 | |\n| opl-synth | |\n| optimizevideo-git | |\n| oracle-bin | |\n| pacforge | |\n| paper-desktop-bin | |\n| paq8o | |\n| parallel-python | |\n| pass-cli | |\n| pelican-git | |\n| penguin-subtitle-player | |\n| perl-proc-parallelloop | |\n| perl-set-object | |\n| perl-term-extendedcolor | |\n| phonon-qt5-vlc | |\n| php-geoip | |\n| php-legacy-memcache | |\n| php-memcache | |\n| php-openswoole-git | |\n| php-xdiff | |\n| picom-ftlabs-git | |\n| pidgin-kwallet | |\n| pipetoys | |\n| pipewire-visualizer-git | |\n| premake-git | |\n| prisma4postgres-bin | |\n| profile-sync-daemon-zen | |\n| pymacs | |\n| pypiserver | |\n| pypy-setuptools | |\n| python-apt | |\n| python-affine | |\n| python-argdispatch | |\n| python-awkward | |\n| python-axolotl-git | |\n| python-calmjs | |\n| python-celery | |\n| python-cerealizer | |\n| python-ci-info | |\n| python-coolname | |\n| python-cu2qu-git | |\n| python-dataproperty | |\n| python-dbapi-compliance | |\n| python-dictobject | |\n| python-dj-database-url | |\n| python-django-modelcluster | |\n| python-django-rest-knox | |\n| python-fastmcp-slim | |\n| python-finnhub-python | |\n| python-firebase-admin | |\n| python-fmu_manipulation_toolbox | |\n| python-future | |\n| python-g4f | |\n| python-hist | |\n| python-histoprint | |\n| python-hsaudiotag3k | |\n| python-iminuit | |\n| python-iso3166 | |\n| python-isr-git | |\n| python-jsmin | |\n| python-json2xml | |\n| python-luckydonald-utils | |\n| python-milvus-lite-bin | |\n| python-mmcif | |\n| python-monotonic | |\n| python-mplhep | |\n| python-mplhep_data | |\n| python-netaudio-git | |\n| python-netaudio-lib | |\n| python-newspaper4k | |\n| python-nipype | |\n| python-nodejs-wheel | |\n| python-openai-harmony | |\n| python-orange | |\n| python-pdf2docx | |\n| python-piecash | |\n| python-pluginmgr | |\n| python-poetry-plugin-dotenv | |\n| python-privy-git | |\n| \"python-pushbullet.py\" | |\n| python-pychromecast-git | |\n| python-pylsp-rope | |\n| python-pymilvus | |\n| python-pysocks-git | |\n| python-rembg | |\n| python-scikit-hep-testdata | |\n| python-sklearn-pandas | |\n| python-sqliteschema | |\n| python-starlette-compress | |\n| python-starsessions | |\n| python-steamcontroller-git | |\n| python-tabledata | |\n| python-tarantool | |\n| python-tradingeconomics | |\n| python-uhi | |\n| python-uproot | |\n| python-vector | |\n| python-xtarfile | |\n| python2-appdirs | |\n| python2-fusepy | |\n| python2-lazr-uri | |\n| python2-mutagen | |\n| python2-notify | |\n| python2-packaging | |\n| python2-paver | |\n| python2-pyparsing | |\n| python2-simplejson | |\n| python2-simpleparse | |\n| python2-stomper | |\n| python2-twodict-git | |\n| python2-xlib | |\n| qhttpengine | |\n| qlementine | |\n| qmdnsengine | |\n| qnapi | |\n| qobuz-player-bin | |\n| qtum-core | |\n| quickswitch-i3 | |\n| r-dbplyr | |\n| reactphysics3d | |\n| repoporge | |\n| retibbs-client-git | |\n| rhythmbox-git | |\n| rimworld | |\n| rog-helper-git | |\n| ros2-humble-nav2-msgs | |\n| rtspeccy-git | |\n| ruah-orch | |\n| ruby-excon | |\n| ruby-kramdown-rfc2629 | |\n| ruby-selenium-webdriver | |\n| runescape-launcher | |\n| sakura-launcher-gui | |\n| sandlock | |\n| screenpipe-bin | |\n| sdcc-bin | |\n| seahorse-nautilus | |\n| shhmsg | |\n| shhopt | |\n| slipnet | |\n| slipnet-bin | |\n| smenu | |\n| smenu-git | |\n| smolrtsp | |\n| smolrtsp-libevent | |\n| snry-shell-qs | |\n| soapyptezuka | |\n| solara-kernel-headers | |\n| sonosano | |\n| soundpaad-bin | |\n| sshuttlee | |\n| sshuttlee-bin | |\n| stompbox-jack-git | |\n| stripe-cli | |\n| stylelint-config-recommended | |\n| subbrute | |\n| sublist3r-git | |\n| subprocess | |\n| subsync | |\n| svu | |\n| sway-xkb-switcher | |\n| tack | |\n| tarantool | |\n| tesseract-gui | |\n| thunar-nextcloud-plugin | |\n| thunderbird-conversations | |\n| tinyemu | |\n| tlpui-git | |\n| torch7-git | |\n| touchhle | |\n| touchosc-bin | |\n| transcreen | |\n| tsm | |\n| ttf-material-design-icons-git | |\n| tunacode-cli | |\n| typing-game-cli | |\n| ukui-notification-daemon | |\n| vapoursynth-preview-git | |\n| vbam-git | |\n| verso-git | |\n| vidcutter | |\n| vim-easymotion | |\n| vim-gitgutter | |\n| vim-indent-object | |\n| vim-molokai | |\n| vim-pythonhelper | |\n| vim-solidity | |\n| vim-vital | |\n| vocalinux-git | |\n| voquill-gpu | |\n| wallpaper-generator-next | |\n| wayland-static | |\n| we-layerd-git | |\n| whatsie-git | |\n| whisper2tr | |\n| whisper2tr-git | |\n| windowmaker-git | |\n| wine-nine | |\n| wire-desktop | |\n| word-snatchers-cli | |\n| workbench | |\n| workbuddy-bin | |\n| wrystr-git | |\n| wsjtx-beta | |\n| xf86-input-mtrack-git | |\n| xorg-xfsinfo | |\n| xplot | |\n| xpra-html5 | |\n| xray-domain-list-community | |\n| yarg | |\n| yt6801-dkms | |\n| yy | |\n| zathura-gruvbox-git | |\n| zerx-lab-dida-bin | |\n| zerx-lab-zed-nightly-bin | |\n| zing-8-bin | |\n| zing-17-bin | |\n| zing-21-bin | |\n| zinnia-python | |\n| zsdx | |\n| ) | |\n| START_DATE=${START_DATE:-2026-06-09} | |\n| END_DATE=${END_DATE:-2026-06-12} | |\n| PACMAN_LOG_GLOB=${PACMAN_LOG_GLOB:-/var/log/pacman.log*} | |\n| CURRENT_FOUND=() | |\n| HISTORICAL_FOUND=() | |\n| LOG_WARNINGS=() | |\n| date_in_window() { | |\n| local date_value=$1 | |\n| [[ \"$date_value\" < \"$START_DATE\" ]] && return 1 | |\n| [[ \"$date_value\" > \"$END_DATE\" ]] && return 1 | |\n| return 0 | |\n| } | |\n| install_date_in_window() { | |\n| local raw_date=$1 normalized_date | |\n| # pacman -Qi uses the current locale unless forced. The caller uses LC_ALL=C, | |\n| # so GNU date can reliably parse strings like \"Thu 11 Jun 2026 10:00:00\". | |\n| normalized_date=$(LC_ALL=C date -d \"$raw_date\" +%F 2>/dev/null) || return 1 | |\n| date_in_window \"$normalized_date\" | |\n| } | |\n| read_pacman_log_file() { | |\n| local file=$1 | |\n| case \"$file\" in | |\n| *.gz) | |\n| if command -v gzip >/dev/null 2>&1; then | |\n| gzip -cd -- \"$file\" | |\n| else | |\n| LOG_WARNINGS+=(\"Skipped $file: gzip is not installed\") | |\n| fi | |\n| ;; | |\n| *.xz) | |\n| if command -v xz >/dev/null 2>&1; then | |\n| xz -cd -- \"$file\" | |\n| else | |\n| LOG_WARNINGS+=(\"Skipped $file: xz is not installed\") | |\n| fi | |\n| ;; | |\n| *.zst) | |\n| if command -v zstdcat >/dev/null 2>&1; then | |\n| zstdcat -- \"$file\" | |\n| else | |\n| LOG_WARNINGS+=(\"Skipped $file: zstdcat is not installed\") | |\n| fi | |\n| ;; | |\n| *.bz2) | |\n| if command -v bzip2 >/dev/null 2>&1; then | |\n| bzip2 -cd -- \"$file\" | |\n| else | |\n| LOG_WARNINGS+=(\"Skipped $file: bzip2 is not installed\") | |\n| fi | |\n| ;; | |\n| *) | |\n| cat -- \"$file\" | |\n| ;; | |\n| esac | |\n| } | |\n| scan_pacman_logs() { | |\n| local file | |\n| local log_files=() | |\n| # Expand the configured glob safely. The default includes pacman.log and common | |\n| # rotated variants such as pacman.log.1, pacman.log.2.gz, or pacman.log.3.zst. | |\n| for file in $PACMAN_LOG_GLOB; do | |\n| [[ -e \"$file\" ]] && log_files+=(\"$file\") | |\n| done | |\n| if [[ ${#log_files[@]} -eq 0 ]]; then | |\n| LOG_WARNINGS+=(\"No pacman log files matched: $PACMAN_LOG_GLOB\") | |\n| return 0 | |\n| fi | |\n| { | |\n| printf 'PKG\\t%s\\n' \"${INFECTED_PKGS[@]}\" | |\n| for file in \"${log_files[@]}\"; do | |\n| [[ -r \"$file\" ]] || { LOG_WARNINGS+=(\"Skipped $file: not readable\"); continue; } | |\n| read_pacman_log_file \"$file\" | sed $'s/^/LOG\\t/' | |\n| done | |\n| } | awk -v start=\"$START_DATE\" -v end=\"$END_DATE\" -F '\\t' ' | |\n| $1 == \"PKG\" { | |\n| infected[$2] = 1 | |\n| next | |\n| } | |\n| $1 == \"LOG\" { | |\n| line = $2 | |\n| date = substr(line, 2, 10) | |\n| if (date < start || date > end) next | |\n| msg = line | |\n| sub(/^\\[[^]]+\\] \\[ALPM\\] /, \"\", msg) | |\n| split(msg, fields, \" \") | |\n| action = fields[1] | |\n| pkg = fields[2] | |\n| if ((action == \"installed\" || action == \"upgraded\" || action == \"reinstalled\") && infected[pkg]) { | |\n| key = pkg SUBSEP date SUBSEP action SUBSEP line | |\n| if (!seen[key]++) { | |\n| printf \"%s\\t%s\\t%s\\t%s\\n\", pkg, date, action, line | |\n| } | |\n| } | |\n| } | |\n| ' | sort -u | |\n| } | |\n| print_pkg_list() { | |\n| local -n arr=$1 | |\n| local pkg | |\n| for pkg in \"${arr[@]}\"; do | |\n| echo \" - $pkg\" | |\n| done | |\n| } | |\n| echo | |\n| echo \"Checking for infected AUR packages (${#INFECTED_PKGS[@]} total)...\" | |\n| echo \"Campaign window: $START_DATE through $END_DATE\" | |\n| echo | |\n| echo \"Checking currently installed foreign packages...\" | |\n| while IFS= read -r pkg; do | |\n| install_date=$(LC_ALL=C pacman -Qi -- \"$pkg\" 2>/dev/null | awk -F ': ' '/^Install Date/ { print $2; exit }') | |\n| if [[ -n \"$install_date\" ]] && install_date_in_window \"$install_date\"; then | |\n| CURRENT_FOUND+=(\"$pkg (Install Date: $install_date)\") | |\n| fi | |\n| done < <(pacman -Qmq \"${INFECTED_PKGS[@]}\" 2>/dev/null) | |\n| if [[ ${#CURRENT_FOUND[@]} -eq 0 ]]; then | |\n| echo \" Clean: no currently installed known infected package has an install date in the campaign window.\" | |\n| else | |\n| echo \" WARNING: ${#CURRENT_FOUND[@]} currently installed possibly infected package(s):\" | |\n| print_pkg_list CURRENT_FOUND | |\n| fi | |\n| echo | |\n| echo \"Checking historical pacman logs...\" | |\n| while IFS=$'\\t' read -r pkg date action line; do | |\n| HISTORICAL_FOUND+=(\"$pkg ($action on $date) :: $line\") | |\n| done < <(scan_pacman_logs) | |\n| if [[ ${#HISTORICAL_FOUND[@]} -eq 0 ]]; then | |\n| echo \" Clean: no known infected package install/upgrade/reinstall events found in pacman logs during the campaign window.\" | |\n| else | |\n| echo \" WARNING: ${#HISTORICAL_FOUND[@]} historical pacman log event(s) matched:\" | |\n| print_pkg_list HISTORICAL_FOUND | |\n| fi | |\n| if [[ ${#LOG_WARNINGS[@]} -gt 0 ]]; then | |\n| echo | |\n| echo \"Log scan notes:\" | |\n| print_pkg_list LOG_WARNINGS | |\n| fi | |\n| echo | |\n| if [[ ${#CURRENT_FOUND[@]} -eq 0 && ${#HISTORICAL_FOUND[@]} -eq 0 ]]; then | |\n| echo \"Clean: no matches found by current-package or historical-log checks.\" | |\n| else | |\n| echo \"WARNING: matches were found. Review the package build files/cache and consider incident-response steps.\" | |\n| fi | |\n| echo |", "url": "https://wpnews.pro/news/checks-pacman-logs-for-infected-aur-packages", "canonical_source": "https://gist.github.com/Kacper-Kondracki/88c5b313f79cc1f9c347e7ed61a36d10", "published_at": "2026-06-12 07:45:44+00:00", "updated_at": "2026-06-12 12:44:36.471836+00:00", "lang": "en", "topics": ["ai-tools", "ai-products", "ai-infrastructure"], "entities": ["Kacper Kondracki", "AUR", "pacman"], "alternates": {"html": "https://wpnews.pro/news/checks-pacman-logs-for-infected-aur-packages", "markdown": "https://wpnews.pro/news/checks-pacman-logs-for-infected-aur-packages.md", "text": "https://wpnews.pro/news/checks-pacman-logs-for-infected-aur-packages.txt", "jsonld": "https://wpnews.pro/news/checks-pacman-logs-for-infected-aur-packages.jsonld"}}