Hi everyone,

Since the obfuscation techniques in this campaign are evolving rapidly
(e.g., using shell hex/octal escapes and switching to alternative
package managers like "bun add"), relying solely on static package
name lists is becoming a cat-and-mouse game.

To help with audits, I've put together a lightweight, read-only,
behavior-based detection script. Instead of just checking package
names, it inspects what actually ran on the system and what is staged
to run.

Key features:
1. Inspects definitive install hooks in /var/lib/pacman/local/ for any
JS package manager calls or obfuscation.
2. Scans paru/yay clone caches safely (using find -print0 / read -d
'') to catch payloads before installation.
3. Performs efficient, stream-based file scanning via 'grep -a' to
prevent null-byte truncation or memory issues with large/binary files.
4. Fully compatible with strict environments (set -uo pipefail) and
handles empty arrays defensively.

You can find the script and review the code here:
https://gist.github.com/l33tm4st3r/f6895a62167bd3d83f298d27ffd46741

Hopefully, this helps community members audit their systems or analyze
the clones safely. Any feedback or additional heuristic patterns are
highly appreciated.

Best regards,
cmhacks

Reply via email to