Spoofed AUR – More than 400 Arch User Repository packages have been linked to a Linux rootkit and infostealer campaign that targets developer credentials and access tokens. Researchers say a spoofed maintainer pushed infected packages by masquerading as a trusted publisher
A routine update in Arch Linux can become a quiet handoff to malware—especially when it comes from the Arch User Repository, a place built for fast-moving software and community-maintained package scripts.
The alarm now centers on more than 400 AUR packages distributing a Linux rootkit and an infostealer that targets credentials and access tokens. The threat was flagged by the open-source intelligence community Independent Federated Intelligence Network (IFIN). which says a new maintainer was spoofing a trusted publisher on the AUR platform to push infected packages.
Arch Linux is widely used by power users and developers. and the AUR plays a central role in how that community gets the latest software. It’s where users find package build scripts—PKGBUILDs—that include instructions for downloading. compiling. and installing software not available in Arch’s official repositories.
The AUR is also essential for many kinds of everyday needs: proprietary applications. beta or nightly versions of open-source software. niche utilities. and older package versions that may still have functionality after later releases removed it. But it’s not vetted in the same way an official repository is. That leaves room for threat actors to abuse the model—pushing malware through packages that change ownership without triggering obvious alarms.
IFIN’s write-up points to a specific mechanism. The compromised packages, it says, are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.
Independent security researcher Whanos describes what was found inside atomic-lockfile. One sample included a Linux ELF payload named deps, described as a “credential stealer with optional root-only eBPF [extended Berkeley Packet Filter] rootkit capabilities.”
Whanos adds that the malware is designed for developer workstations and build environments. It targets browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, HashiCorp Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets.
With eBPF in play, the malware can run inside the kernel with elevated privileges and hide local processes.
Sonatype also published its own account of an AUR-focused campaign delivering the malicious atomic-lockfile npm package. but it says the actor used a different method. Sonatype researchers say the attacker hijacked at least 20 orphaned packages on AUR and pushed atomic-lockfile by modifying the PKGBUILD file.
In Sonatype’s version of the chain. the attacker added a post-install script that invokes npm and installs atomic-lockfile during package installation. The analysis then showed that the npm package installed a Linux executable tied to eBPF rootkit functionality that could hide processes. files. and network interfaces.
Sonatype also reports that the Linux binary indicates infostealer behavior against multiple types of sensitive information, including GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, Slack data, Discord data, Microsoft Teams data, Telegram data.
It found additional signs that match a typical exfiltration pipeline: the binary can archive data, handle multi-part files, and perform HTTP uploads.
While investigators piece together the scope, AUR maintainers are working to identify and remove all malicious commits and to ban the accounts pushing them.
Arch Linux package maintainer Jonathan Grotelüschen urged users to report any malicious package they find. In the same message, he reinforced a broader reality Arch users already know: it’s recommended to only trust projects with frequent updates and an active community around them.
For now, the practical steps are getting more urgent. Arch users are advised to review the list of affected packages and look for the indicators of compromise provided in the report from Whanos. Michael Taggart also pointed to a script that checks for the atomic-lockfile malware on the system.
If compromised packages are found, users should rotate all credentials and consider reinstalling Arch from scratch, because a rootkit may survive normal cleaning efforts.
Arch Linux AUR atomic-lockfile rootkit infostealer eBPF npm PKGBUILD cybersecurity supply chain attack credential theft access tokens
Wait so is this like when they spoof the update notification? Because I thought AUR was “community only” not “official,” so how would rootkit even get in there?
Sounds like npm is getting blamed again lol. Like “atomic-lockfile”?? I don’t even know what that is but if it targets access tokens then yeah that’s scary. Makes me want to delete AUR forever.
If it was a spoofed maintainer, can’t Arch just auto-block anything after a package ownership changes? I mean 400 packages sounds huge but also kind of not surprising with how fast people push PKGBUILDs. I saw something similar where a “routine update” was just shady scripts in the background.
So basically your Linux box just quietly downloads a malicious npm thing and then steals your credentials? Love that for us. Also the article keeps saying root-only eBPF but I’m like… what does that even mean in regular person terms? If it’s targeting tokens, wouldn’t every dev already know to rotate them or something? Anyway Arch users gonna be on high alert now.