From b3bdf03f2500140774157aab2598b50e37a012cf Mon Sep 17 00:00:00 2001
From: shockrah <dev@shockrah.xyz>
Date: Tue, 16 Jun 2026 23:08:55 -0700
Subject: [PATCH] Another janky check bun script

---
 runbooks/atomic-rootkit-scan/check-bun.py | 24 +++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 runbooks/atomic-rootkit-scan/check-bun.py

diff --git a/runbooks/atomic-rootkit-scan/check-bun.py b/runbooks/atomic-rootkit-scan/check-bun.py
new file mode 100644
index 0000000..cc90a14
--- /dev/null
+++ b/runbooks/atomic-rootkit-scan/check-bun.py
@@ -0,0 +1,24 @@
+from pathlib import Path
+from requests import get
+
+def remote_pkg_list():
+    pkgs = get('https://raw.githubusercontent.com/lenucksi/aur-malware-check/refs/heads/master/malicious_npm_packages.txt')
+    ret = set()
+    for line in pkgs.content.decode():
+        if line.startswith('#'):
+            continue
+        ret.add(line)
+    return ret
+
+def local_pkgs():
+    return set([e for e in Path(f'{Path.home()}/.bun/install/cache/').iterdir()])
+
+if __name__ == '__main__':
+    remote_pkgs = remote_pkg_list()
+    for pkg in local_pkgs():
+        if pkg in remote_pkgs:
+            print(f'COMPROMISED - {pkg}')
+        else:
+            print(f'CLEAN - {pkg}')
+        
+