it checks for patterns derived from real AUR malware incidents:
CHAOS RAT (2025) — browser impersonation packages, RAT distribution
Google Chrome RAT (2025) — .install script, Python download+execute
Acroread (2018) — orphan takeover, curl from paste service, systemd persistence
it checks for patterns derived from real AUR malware incidents: