Kief Studio aur‑scanner

Detection Codes

Every code below comes from the scanner’s authoritative catalog — one unique, audit-enforced index. Run aur-scan codes locally, or aur-scan explain <CODE> for full detail. Add your own in Custom Rules.

118 codes across 13 categories. Generated from the catalog; do not edit by hand.

CRITICAL severity

CodeNameCategoryDetectorCWE
ATOMIC-001Atomic Arch malicious npm/bun packageMalicious CoderulesCWE-506
ATOMIC-002Node/Bun package manager in install hookMalicious CoderulesCWE-494
ATOMIC-003eBPF rootkit / payload artifactPersistencerulesCWE-506
BROWSER-001Browser profile accessCredential TheftrulesCWE-522
BROWSER-002Browser database accessCredential TheftrulesCWE-522
CRED-001SSH key accessCredential TheftrulesCWE-522
CRED-002GPG key accessCredential TheftrulesCWE-522
CRED-003Password file accessCredential TheftrulesCWE-522
CRED-005Keyring / wallet accessCredential TheftrulesCWE-522
CRYPTO-001Mining pool connectionCryptominingrulesCWE-506
CRYPTO-002Cryptominer binaryCryptominingrulesCWE-506
CRYPTO-003Monero/Bitcoin wallet addressCryptominingrulesCWE-506
DEEP-001Decode-and-execute flowObfuscationdeepCWE-506
DLE-001Curl pipe to shellCommand InjectionrulesCWE-94
DLE-002Wget pipe to shellCommand InjectionrulesCWE-94
DLE-003Curl output executedCommand InjectionrulesCWE-94
ENV-001LD_PRELOAD manipulationMalicious CoderulesCWE-426
ENV-003Bashrc/profile modificationPersistencerulesCWE-506
EXEC-002Shell -c command substitution fetchMalicious CoderulesCWE-494
EXEC-REMOTEFetches and runs external codeMalicious Coderemote_execCWE-494
EXFIL-001Curl POST data exfiltrationData ExfiltrationrulesCWE-200
EXFIL-002Netcat data transferData ExfiltrationrulesCWE-200
EXFIL-003Discord/Telegram webhookData ExfiltrationrulesCWE-506
EXFIL-004DNS exfiltrationData ExfiltrationrulesCWE-200
EXFIL-008Slack/Teams webhook exfiltrationData ExfiltrationrulesCWE-200
INSTALL-001Python execution in install scriptMalicious CoderulesCWE-94
INSTALL-003Network access in install scriptNetwork SecurityrulesCWE-494
INSTALL-004Language package manager invoked in install hookMalicious CoderulesCWE-494
IOC-001Known indicator-of-compromise matchMalicious CodeiocCWE-506
PASTE-001Pastebin downloadMalicious CoderulesCWE-506
PERSIST-001Systemd service creation in installPersistencerulesCWE-506
PERSIST-002Systemd timer creationPersistencerulesCWE-506
PERSIST-004rc.local modificationPersistencerulesCWE-506
PERSIST-006Systemd masqueradingPersistencerulesCWE-506
PRIV-001Sudo usage in a build functionPrivilege EscalationprivilegeCWE-250
PRIV-002SUID/SGID bit set in a functionPrivilege EscalationprivilegeCWE-732
PRIV-003Sudoers modificationPrivilege EscalationprivilegeCWE-250
PRIV-007Privileged account manipulationPrivilege EscalationrulesCWE-269
PRIV-008Password manipulationPrivilege EscalationrulesCWE-269
SHELL-001Bash reverse shellMalicious CoderulesCWE-506
SHELL-002Netcat reverse shellMalicious CoderulesCWE-506
SHELL-003Python reverse shellMalicious CoderulesCWE-506
SHELL-004Socat shellMalicious CoderulesCWE-506
SHELL-005Perl reverse shellMalicious CoderulesCWE-94
SHELL-006PHP reverse shellMalicious CoderulesCWE-94
SHELL-007Ruby/Lua/AWK reverse shellMalicious CoderulesCWE-94
SHELL-008Node.js reverse shellMalicious CoderulesCWE-94
SHELL-009OpenSSL-encrypted reverse shellMalicious CoderulesCWE-94
SHELL-010Named-pipe (mkfifo) reverse shellMalicious CoderulesCWE-94
SHELL-011Busybox/telnet/ncat-ssl shellMalicious CoderulesCWE-94
TAMPER-001Auth database writePrivilege EscalationrulesCWE-269
TAMPER-002doas/sudoers nopasswd grantPrivilege EscalationrulesCWE-269
TAMPER-005PAM tamperingPrivilege EscalationrulesCWE-287
TAMPER-011pacman signature downgradeMalicious CoderulesCWE-347
TI-URLHAUS-001URLhaus lists a source URLMalicious Codethreat_intelCWE-494
TI-VT-001VirusTotal flags a source artifactMalicious Codethreat_intelCWE-506

HIGH severity

CodeNameCategoryDetectorCWE
CHK-001No checksums for sourcesCryptographychecksumCWE-354
CHK-005All non-VCS sources use SKIPCryptographychecksumCWE-354
CHK-006Checksum count mismatchConfigurationchecksum-
CRED-004Cloud / CI credential file accessCredential TheftrulesCWE-522
CRED-008Environment/secret dumpCredential TheftrulesCWE-522
DEEP-002Large embedded encoded blobObfuscationdeepCWE-506
DEP-001Provides a core package name (dependency confusion)Suspicious MetadatametadataCWE-427
DEP-003Package index/registry overrideDependenciesrulesCWE-494
ENV-002PATH manipulationMalicious CoderulesCWE-426
EXEC-006sqlite3 shell-command executionMalicious CoderulesCWE-94
EXEC-007make reads a Makefile from stdinCommand InjectionrulesCWE-94
EXFIL-006HTTP upload exfiltrationData ExfiltrationrulesCWE-200
EXFIL-007wget POST exfiltrationData ExfiltrationrulesCWE-200
EXFIL-009Anonymous file-drop / tunnel hostData ExfiltrationrulesCWE-200
FUNC-001Network access in a build functionNetwork Securitypattern-
HIDDEN-001Hidden file creation in homeMalicious Coderules-
HIDDEN-002Tmp directory executionMalicious Coderules-
HIDDEN-003Binary in non-standard locationMalicious Coderules-
INSTALL-002Binary execution in install scriptMalicious CoderulesCWE-94
META-003Replaces/conflicts a core or security packageSuspicious MetadatametadataCWE-1357
OBF-001Base64 decodingObfuscationrulesCWE-506
OBF-002Eval usageCommand InjectionrulesCWE-95
OBF-003Hex-encoded payloadObfuscationrulesCWE-506
OBF-005Gzip decode executionObfuscationrulesCWE-94
OBF-006Quote-splitting / character obfuscationObfuscationrulesCWE-506
OBF-007printf character assemblyObfuscationrulesCWE-506
OBF-008Alternate-encoding decodeObfuscationrulesCWE-506
OBF-011Interpreter here-string executionObfuscationrulesCWE-94
PERSIST-003Cron job creationPersistencerules-
PERSIST-005XDG autostart creationPersistencerules-
PRIV-005Kernel module operationsPrivilege Escalationprivilege-
PRIV-006Sudo in an install hookPrivilege EscalationprivilegeCWE-250
PROV-001Package gained risky behaviorSuspicious MetadataprovenanceCWE-506
SRC-002Suspicious source domainNetwork Securitysource-
SRC-003Raw IP address in source URLNetwork Securitysource-
SRC-004URL shortener in sourceNetwork Securitysource-
SRC-009Obfuscated IP in URLNetwork SecurityrulesCWE-94
TAMPER-013Security control disabledMalicious CoderulesCWE-693
TAMPER-017CA trust anchor injectionMalicious CoderulesCWE-295
TRUST-001pacman keyring poisoningMalicious CoderulesCWE-494
URL-001Raw IP in URLNetwork Securityrules-
URL-002URL shortenerNetwork Securityrules-
URL-003Dynamic DNS domainNetwork Securityrules-

MEDIUM severity

CodeNameCategoryDetectorCWE
CHK-002MD5 checksums usedCryptographychecksumCWE-328
CHK-003SHA1 checksums usedCryptographychecksumCWE-328
CHK-004Some sources use SKIP checksumCryptographychecksumCWE-354
CHK-008Malformed or wrong-length checksumCryptographychecksumCWE-354
EXEC-005Detached background executionMalicious CoderulesCWE-506
META-005install= points outside the packageSuspicious MetadatametadataCWE-426
META-006backup= of a security-sensitive fileSuspicious MetadatametadataCWE-426
OBF-004String concatenation obfuscationObfuscationrules-
PRIV-004Capabilities being setPrivilege EscalationprivilegeCWE-250
SRC-001Insecure source/transport protocolNetwork SecuritysourceCWE-319
SRC-005No sources with a build functionConfigurationsource-
TRUST-002GPG key import at build timeMalicious CoderulesCWE-494

LOW severity

CodeNameCategoryDetectorCWE
META-001Provides impersonationSuspicious Metadatarules-
META-002validpgpkeys declared but no signature verifiedSuspicious MetadatametadataCWE-347
META-004epoch set (forces upgrade over the repo version)Suspicious Metadatametadata-
SRC-006VCS source from non-standard hostNetwork Securitysource-
SRC-007VCS source not pinned to a commitNetwork SecuritysourceCWE-494
SRC-008Source host differs from upstream url hostNetwork Securitysource-

INFO severity

CodeNameCategoryDetectorCWE
EXAMPLE-001Example: references example.comConfigurationuser-