I would like to apologise, this was just a (successful) test -- please
ignore.
Thank you and best

Andreas

On Sun, 2026-06-14 at 07:21 +0700, Andreas Reichel wrote:
> Subject: [SECURITY] Possibly malicious AUR package: nodejs-pkg
> 
> Package : nodejs-pkg
> AUR page: https://aur.archlinux.org/packages/nodejs-pkg
> Scanner : aurscan (automated Claude-model PKGBUILD analysis)
> Verdict : SUSPICIOUS (confidence 72%)
> 
> Summary : The package() function fetches the package live from the
> npm registry at build time (`npm install -g [email protected]`) rather than
> using the tarball declared in source=(). This bypasses the integrity
> check provided by sha512sums and introduces an unverified network
> dependency at install time.
> 
> Findings:
>   - [warning] PKGBUILD: Fetches the package live from the npm
> registry instead of using the source tarball that was checksummed.
> The verified tarball is never used (noextract, commented-out
> install). This means the installed content is not covered by the
> sha512sums integrity check.
>       snippet: npm install -g pkg@${pkgver} --user root --prefix
> "${pkgdir}/usr"
>   - [info] PKGBUILD: The correct installation method using the
> downloaded and checksummed source tarball is commented out, while the
> live-network fetch is active. This is backwards from safe packaging
> practice.
>       snippet: #npm install -g --user root --prefix "${pkgdir}/usr"
> "${srcdir}/${pkgname}-${pkgver}.tar.gz"
>   - [warning] PKGBUILD: The source tarball is downloaded and
> checksummed but never actually used in the build, making the
> integrity check effectively meaningless for what gets installed.
>       snippet: noextract=("${pkgname}-${pkgver}.tar.gz")
> 
> NOTE: This report was produced by an automated LLM-based scanner and
> has been reviewed by the submitting user before sending. Please
> verify
> independently.
> 

Reply via email to