Skip to content

Detect new addition of npm or bun dependency#20

Open
hirak99 wants to merge 2 commits into
Sohimaster:mainfrom
hirak99:new_npm_or_bun_dep
Open

Detect new addition of npm or bun dependency#20
hirak99 wants to merge 2 commits into
Sohimaster:mainfrom
hirak99:new_npm_or_bun_dep

Conversation

@hirak99

@hirak99 hirak99 commented Jun 14, 2026

Copy link
Copy Markdown

This check flags the introduction of package-manager dependencies associated with external language ecosystems (currently npm/bun). Such additions may warrant additional review because they can enable the retrieval of code outside the sources explicitly declared in the PKGBUILD.

This provides a general mechanism for detecting one class of changes involved in the June 2026 malware campaign.

We can likely extend this to cover other newly introduced build dependencies, such as yarn, cargo, python-pip, and ruby. I can add support for those in a follow-up PR if this approach is approved.

hirak99 added 2 commits June 14, 2026 16:02
Triggers only if `npm` or `bun` dependency is newly added, but not on
existing dependencies.

This has been the attack vector for 2026 June AUR malware attacks.

The list of the packages may be expanded, to include other such
unmoderated installation channels to camouflage code execution such as
`pip`.
@adelmonte

Copy link
Copy Markdown

Working on the same June 2026 campaign from a different angle in #22.

Two gaps I hit with the dep-array diff approach here:

  • T-DIFF-NEW-DEP-NPM-BUN is +50 Temporal (×0.15 weight), so it can't lift a compromised package out of OK — e.g. alvr in The checking AUR comments section is not working. #14 already fires B-SUBMITTER-CHANGED but stays at trust 73. The miss there is the tier, not just the absence of a signal.
  • It's diff-gated and keys off the makedepends array, so it won't fire on a package that's malicious from creation, or when the attacker calls npm install <pkg> directly in build()/.install without touching the dep array.

#22 adds command-level detection of build-time network installs (npm/bun/yarn/pnpm/pip/gem/cargo/go) plus an override gate that escalates adopted package + build-time named install straight to MALICIOUS — which is what actually catches the alvr-style takeover. The dep-array check here is a good complementary signal (it catches installs buried in fetched build scripts), so I think both compose well rather than one replacing the other.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants