I would like to apologise, this was just a (successful) test -- please ignore. Thank you and best
Andreas On Sun, 2026-06-14 at 07:21 +0700, Andreas Reichel wrote: > Subject: [SECURITY] Possibly malicious AUR package: nodejs-pkg > > Package : nodejs-pkg > AUR page: https://aur.archlinux.org/packages/nodejs-pkg > Scanner : aurscan (automated Claude-model PKGBUILD analysis) > Verdict : SUSPICIOUS (confidence 72%) > > Summary : The package() function fetches the package live from the > npm registry at build time (`npm install -g [email protected]`) rather than > using the tarball declared in source=(). This bypasses the integrity > check provided by sha512sums and introduces an unverified network > dependency at install time. > > Findings: > - [warning] PKGBUILD: Fetches the package live from the npm > registry instead of using the source tarball that was checksummed. > The verified tarball is never used (noextract, commented-out > install). This means the installed content is not covered by the > sha512sums integrity check. > snippet: npm install -g pkg@${pkgver} --user root --prefix > "${pkgdir}/usr" > - [info] PKGBUILD: The correct installation method using the > downloaded and checksummed source tarball is commented out, while the > live-network fetch is active. This is backwards from safe packaging > practice. > snippet: #npm install -g --user root --prefix "${pkgdir}/usr" > "${srcdir}/${pkgname}-${pkgver}.tar.gz" > - [warning] PKGBUILD: The source tarball is downloaded and > checksummed but never actually used in the build, making the > integrity check effectively meaningless for what gets installed. > snippet: noextract=("${pkgname}-${pkgver}.tar.gz") > > NOTE: This report was produced by an automated LLM-based scanner and > has been reviewed by the submitting user before sending. Please > verify > independently. >
