Skip to content

Detect new addition of npm or bun dependency#20

Open
hirak99 wants to merge 2 commits into
Sohimaster:mainfrom
hirak99:new_npm_or_bun_dep
Open

Detect new addition of npm or bun dependency#20
hirak99 wants to merge 2 commits into
Sohimaster:mainfrom
hirak99:new_npm_or_bun_dep

Conversation

@hirak99

@hirak99 hirak99 commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown

This check flags the introduction of package-manager dependencies associated with external language ecosystems (currently npm/bun). Such additions may warrant additional review because they can enable the retrieval of code outside the sources explicitly declared in the PKGBUILD.

This provides a general mechanism for detecting one class of changes involved in the June 2026 malware campaign.

We can likely extend this to cover other newly introduced build dependencies, such as yarn, cargo, python-pip, and ruby. I can add support for those in a follow-up PR if this approach is approved.

hirak99 added 2 commits June 14, 2026 16:02
@hirak99
fix(minor): warning that e is not used in Err(e)
4f2c4f6
@hirak99
feat: detect newly added npm/bun dependencies
20e9d93 
Triggers only if `npm` or `bun` dependency is newly added, but not on
existing dependencies.

This has been the attack vector for 2026 June AUR malware attacks.

The list of the packages may be expanded, to include other such
unmoderated installation channels to camouflage code execution such as
`pip`.
@hirak99 hirak99 force-pushed the new_npm_or_bun_dep branch from cd1a0b9 to 20e9d93 Compare June 14, 2026 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hirak99