diff --git a/runbooks/atomic-rootkit-scan/check-bun.py b/runbooks/atomic-rootkit-scan/check-bun.py
new file mode 100644
index 0000000..cc90a14
--- /dev/null
+++ b/runbooks/atomic-rootkit-scan/check-bun.py
@@ -0,0 +1,24 @@
+from pathlib import Path
+from requests import get
+
+def remote_pkg_list():
+    pkgs = get('https://raw.githubusercontent.com/lenucksi/aur-malware-check/refs/heads/master/malicious_npm_packages.txt')
+    ret = set()
+    for line in pkgs.content.decode():
+        if line.startswith('#'):
+            continue
+        ret.add(line)
+    return ret
+
+def local_pkgs():
+    return set([e for e in Path(f'{Path.home()}/.bun/install/cache/').iterdir()])
+
+if __name__ == '__main__':
+    remote_pkgs = remote_pkg_list()
+    for pkg in local_pkgs():
+        if pkg in remote_pkgs:
+            print(f'COMPROMISED - {pkg}')
+        else:
+            print(f'CLEAN - {pkg}')
+        
+