So from a quick read, it seems it installed "atomic-lockfile", "js-digest" or "lockfile-js" from npm. A list of affected packages is here [1].
Didn't find any quick info on how to check a system, so I ran the following command to find foreign packages and some date related infos:
> pacman -Qmi
Check the output against the list of affected packages.
Then, you can also grep for those files in various locations: > grep -rl "atomic-lockfile" / --include="package.json" --include="package-lock.json"
> grep -rl "atomic-lockfile" ~/.npm 2>/dev/null
> grep -i "atomic-lockfile" /var/log/pacman.log 2>/dev/null
Don't know if the packages delete themself after they run. I just wanted to provide some basic commands, as all the other infos I found didn't provide any help.
Here is how I did it :
Get a list of installed packages originating from AUR using 'yay' :
Get list from https://md.archlinux.org/s/SxbqukK6IA# : then : should spit out the packages that are in both files, hence were compromised at some point, I guess.I love that even when trying to put malware into Arch Linux AUR, the malware is still distributed through NPM. Legendary platform.
The attacker used at least three Node dependencies in the attack, just checking for atomic-lockfile is not enough. The names js-digest and lockfile-js were also used, and at some point the attacker switched to bun instead of npm.
Also see: https://github.com/lenucksi/aur-malware-check