Subject: [SECURITY] Possibly malicious AUR package: nodejs-pkg

Package : nodejs-pkg
AUR page: https://aur.archlinux.org/packages/nodejs-pkg
Scanner : aurscan (automated Claude-model PKGBUILD analysis)
Verdict : SUSPICIOUS (confidence 72%)

Summary : The package() function fetches the package live from the npm
registry at build time (`npm install -g [email protected]`) rather than using
the tarball declared in source=(). This bypasses the integrity check
provided by sha512sums and introduces an unverified network dependency
at install time.

Findings:
  - [warning] PKGBUILD: Fetches the package live from the npm registry
instead of using the source tarball that was checksummed. The verified
tarball is never used (noextract, commented-out install). This means
the installed content is not covered by the sha512sums integrity check.
      snippet: npm install -g pkg@${pkgver} --user root --prefix
"${pkgdir}/usr"
  - [info] PKGBUILD: The correct installation method using the
downloaded and checksummed source tarball is commented out, while the
live-network fetch is active. This is backwards from safe packaging
practice.
      snippet: #npm install -g --user root --prefix "${pkgdir}/usr"
"${srcdir}/${pkgname}-${pkgver}.tar.gz"
  - [warning] PKGBUILD: The source tarball is downloaded and
checksummed but never actually used in the build, making the integrity
check effectively meaningless for what gets installed.
      snippet: noextract=("${pkgname}-${pkgver}.tar.gz")

NOTE: This report was produced by an automated LLM-based scanner and
has been reviewed by the submitting user before sending. Please verify
independently.

Reply via email to