Startup Ideas Bank
From GitHub Gists to Chaos: An Inadequate Solution for a Massive Problem
AI roast score: 40/100 (F)
The idea
lenucksi/aur-malware-check — Detection tools for the June 2026 atomic-lockfile AUR supply-chain attack. Consolidated from community Gists.
AUR Malware Check - June 2026 Campaign
Detection and analysis tools for the atomic-lockfile supply-chain attack on the Arch User Repository (AUR).
This is a collection of all the scattered resources, especially the ones in the detection scripts Gist - they made this, I just collected this to a repo so I have it all in one place and possibly people could put up PR's instead of Gist links across multiple posts. Certainly see the source section for details on the sources!
1600+ AUR packages compromised by attackers who injected npm install atomic-lockfile , bun install js-digest , or lockfile-js into PKGBUILD/install files. Two attack waves:
atomic-lockfile / lockfile-js (npm) — accounts krisztinavarga , franziskaweber , tobiaswesterburg , ellenmyklebust ; arojas (impersonated legitimate maintainer — see Impersonation Clarification)
js-digest (bun) — accounts custodiatovar , veramagalhaes
Both deliver an infostealer and eBPF rootkit targeting developer credentials, browser data, and CI/CD secrets.
Quick Start
# Check if you have any infected packages
./aur_check-v2.sh
# Check bun cache specifically (for js-digest / atomic-lockfile)
./aur_check-v2.sh --check-bun-cache
# Safe one-liner (from quantenProjects) - just compare installed vs infected list
comm -1 -2 <( pacman -Qq | sort ) <( curl -s https://raw.githubusercontent.com/YOUR/aur-malware-check/main/package_list.txt | sort )
# Full scan with all optional checks
./aur_check-v2.sh --full
# Cross-campaign: scan all installed packages regardless of install date
./aur_check-v2.sh --all-time
# Merge multiple lists (HedgeDoc + historical + custom) and scan
./custom_list_merge_aur_scan.sh -l ./historical_packages.txt
# Merge custom lists and disable date window for cross-campaign scan
./custom_list_merge_aur_scan.sh -l ./historical_packages.txt -- --all-time
# Refresh the package list from the official Arch Linux HedgeDoc, then scan
./aur_check-v2.sh --refresh --full
# Use custom package lists (also settable via env vars):
# PACKAGE_LIST_FILE=./my_list.txt
# MALICIOUS_NPM_LIST=./my_npm.txt
./aur_check-v2.sh --package-list=my_list.txt --malicious-npm-list=my_npm.txt
# Legacy scan (only use if v2 is broken)
./archive/aur_check.sh
Script: aur_check.sh
A consolidated detection script combining the best features from all community forks:
Feature
Source
Batch pacman -Qmq query
commonsourcecs fork
Date window filtering (Jun 9-12)
commonsourcecs fork
Historical pacman.log scanning
Kacper-Kondracki fork
Compressed log support (.gz/.xz/.zst/.bz2)
Kacper-Kondracki fork
~1600 known comp
The roast
You've essentially compiled a bunch of community Gists into one place and called it a product. This does not solve the root problem, which is the need for a robust, proactive malware detection system for AUR. The scale and severity of the atomic-lockfile attack demand more than just a 'quick start' guide and a script repository.
Your idea lacks any real differentiation or technical innovation. The Arch Linux community can already access these scripts, and your 'product' fails to offer a compelling reason for them to switch from their existing setups. A product-led growth strategy requires more than just aggregating existing resources.
Additionally, your target market is too niche. AUR users are a small subset of the overall Linux user base, let alone the broader consumer market. The lack of funding and the solo team further compound the issue, making execution highly implausible.
Red flags
- Consolidation does not equal innovation
- Niche target market: AUR users only
- Lack of funding and solo team
Verdict
This project lacks both innovation and market potential; it’s a collection of scripts masquerading as a product.
Roast your own startup idea →