Hi everyone, Since the obfuscation techniques in this campaign are evolving rapidly (e.g., using shell hex/octal escapes and switching to alternative package managers like "bun add"), relying solely on static package name lists is becoming a cat-and-mouse game.
To help with audits, I've put together a lightweight, read-only, behavior-based detection script. Instead of just checking package names, it inspects what actually ran on the system and what is staged to run. Key features: 1. Inspects definitive install hooks in /var/lib/pacman/local/ for any JS package manager calls or obfuscation. 2. Scans paru/yay clone caches safely (using find -print0 / read -d '') to catch payloads before installation. 3. Performs efficient, stream-based file scanning via 'grep -a' to prevent null-byte truncation or memory issues with large/binary files. 4. Fully compatible with strict environments (set -uo pipefail) and handles empty arrays defensively. You can find the script and review the code here: https://gist.github.com/l33tm4st3r/f6895a62167bd3d83f298d27ffd46741 Hopefully, this helps community members audit their systems or analyze the clones safely. Any feedback or additional heuristic patterns are highly appreciated. Best regards, cmhacks
