Subject: [SECURITY] Possibly malicious AUR package: nodejs-pkg Package : nodejs-pkg AUR page: https://aur.archlinux.org/packages/nodejs-pkg Scanner : aurscan (automated Claude-model PKGBUILD analysis) Verdict : SUSPICIOUS (confidence 72%)
Summary : The package() function fetches the package live from the npm registry at build time (`npm install -g [email protected]`) rather than using the tarball declared in source=(). This bypasses the integrity check provided by sha512sums and introduces an unverified network dependency at install time. Findings: - [warning] PKGBUILD: Fetches the package live from the npm registry instead of using the source tarball that was checksummed. The verified tarball is never used (noextract, commented-out install). This means the installed content is not covered by the sha512sums integrity check. snippet: npm install -g pkg@${pkgver} --user root --prefix "${pkgdir}/usr" - [info] PKGBUILD: The correct installation method using the downloaded and checksummed source tarball is commented out, while the live-network fetch is active. This is backwards from safe packaging practice. snippet: #npm install -g --user root --prefix "${pkgdir}/usr" "${srcdir}/${pkgname}-${pkgver}.tar.gz" - [warning] PKGBUILD: The source tarball is downloaded and checksummed but never actually used in the build, making the integrity check effectively meaningless for what gets installed. snippet: noextract=("${pkgname}-${pkgver}.tar.gz") NOTE: This report was produced by an automated LLM-based scanner and has been reviewed by the submitting user before sending. Please verify independently.
