The (Arch) community is moving quickly to release scripts/tools.
Right now, this is the most up to date, consolidated utility to check for infection:
https://github.com/lenucksi/aur-malware-check
Also, the aur-request mailing lists has many delete/orhan requests coming through to undo the malicous commits:
https://lists.archlinux.org/archives/list/aur-requests@lists...
Noob question, but how do people know this is thrustworthy, since it's not from Arch / an official source?
There's a lot of voodoo in that script, i can't easily tell it's safe by reading the code.
I'd expect some reaction/solution from official Arch developers...
You could try rkhunter or unhide from the official repositories, but I haven't tested this myself and I don't know how well they work with BPF rootkits (and/or this one specifically).
All of the packages I have triaged involved the atomic-lockfile npm package, so this is something you could try:
The problem with an officially endorsed solution is that the rootkit authors could push an update that hides/removes the indicators of compromise the endorsed script checks for (e.g. it would be trivial to have the malware delete atomic-lockfile from the npm cache).Love the starchart at the bottom of the repo readme.
Really conveys that sense of urgency + the stakes tied to a major malware attack like that.