RSS

Preliminary Analysis of AUR Malware

thewebguyd1 pts0 comments

Preliminary analysis of AUR malware

Malware Analysis Report: deps<br>Report date: 2026-06-11<br>VT Link<br>Triage Link

Note: The following report was very hastily written by Codex.<br>(I have fact-checked it against the IDA decompilation though ๐Ÿ‰)<br>Scope and Handling<br>This report summarizes static reverse engineering of the Linux ELF malware sample named deps and static review of the recovered npm package source associated with the incident. The sample and package were treated as malicious throughout handling.<br>No dynamic execution of the ELF, npm package, lifecycle scripts, or package code was performed.<br>The binary is stripped and implemented with Rust-style async state machines. Function names in this report are analyst-assigned names based on decompiled behavior.<br>Incident Background<br>This sample was recovered from a supply-chain compromise involving an Arch User Repository (AUR) package build flow. In the reported intrusion path, the attacker modified AUR build steps so that the build process downloaded and installed a malicious npm package. That package masqueraded as atomic-lockfile version 1.4.2 and included the Linux ELF payload at src/hooks/deps.<br>Editors Note: It turns out Many More AUR packages were attacked today in the same way. It is very likely the same threat actor is responsible w/ the same deployed malware.<br>The malicious npm package used a preinstall lifecycle hook to execute the ELF automatically during npm installation. This means a developer workstation, maintainer machine, or CI/build host could execute the malware as a side effect of building or installing the compromised AUR package.<br>Executive Summary<br>deps is a Linux credential stealer with optional root-only eBPF rootkit capabilities. It is designed for developer workstations and build environments. It targets browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets.<br>The recovered supply-chain package identifies itself as atomic-lockfile version 1.4.2. It contains a malicious npm lifecycle entry:<br>"preinstall": "./src/hooks/deps"<br>That lifecycle script executes the ELF directly during npm installation when lifecycle scripts are enabled. The ELF in the package source is byte-identical to the analyzed sample.<br>The attacker-controlled C2 endpoint was recovered from the ELF. It is not supplied by the npm package, command-line arguments, or a JavaScript wrapper. The binary decodes this onion service at runtime:<br>olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion<br>The command/result callback is POST /api/agent, sent through a local loopback/SOCKS-style transport. The local 127.0.0.1 traffic is an intermediate transport layer, not the attacker endpoint. When eBPF is available, the malware can hide local process and socket artifacts used by that transport.<br>File content is uploaded to temp.sh with POST /upload. The temp.sh upload destination is a storage/upload service, not the actor C2 by itself. The recovered onion /api/agent channel is the best static explanation for how upload IDs, status, tasking, and other result metadata are returned to the operator.<br>Sample Metadata

Field<br>Value

File name<br>deps

File size<br>3,040,376 bytes

File type<br>Linux ELF64, x86-64, PIE, dynamically linked

ELF type<br>ET_DYN

Entry point<br>0xeae00

SHA-256<br>6144D433F8A0316869877B5F834C801251BBB936E5F1577C5680878C7443C98B

MD5<br>42B59FDBE1B72895B2951412222EBF40

The same SHA-256 applies to both analyzed files:<br>deps<br>atomic-lockfile/package/src/hooks/deps<br>Supply-Chain Delivery<br>The recovered package source appears to be a mostly legitimate TypeScript npm package with a malicious ELF inserted into the source tree and wired into npm lifecycle execution.<br>Package identity:

Field<br>Value

Package name<br>atomic-lockfile

Package version<br>1.4.2

Main entry<br>./dist/cjs/index.cjs

ESM entry<br>./dist/esm/index.js

CLI bin<br>atomic-lockfile -> ./dist/esm/cli/index.js

Malicious lifecycle script<br>preinstall: ./src/hooks/deps

Payload path<br>src/hooks/deps

Expected launch flow:<br>AUR/build process fetches or installs npm package<br>-> npm reads package.json<br>-> npm lifecycle reaches preinstall<br>-> executes ./src/hooks/deps<br>-> Linux ELF malware starts<br>Static review of the package source outside the ELF found no JavaScript wrapper, no additional C2 configuration, no command-line arguments passed to the ELF, and no package-layer references to temp.sh, /api/agent, Discord webhooks, or a public C2 domain/IP.<br>Conclusion: the malicious npm package provides the execution vector. The C2 endpoint is encoded inside the ELF itself.<br>High-Level Capabilities<br>Installs persistence using root or per-user systemd service units.<br>Enforces a single active instance using flock().<br>Redirects standard input/output/error to /dev/null.<br>Ignores SIGPIPE.<br>Reads /proc/self/exe to locate and copy/install its current executable.<br>Uses Rust async runtime logic to run collectors and transport tasks.<br>Enumerates Chromium-family...

package deps malware lifecycle malicious recovered

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek โ€“ open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms ยท privacy ยท disclaimer ยท contact ยท policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.