RSS

AUR Packages Compromised with Infostealer and Rootkit

keyle2 pts0 comments

400+ AUR Packages Compromised with Infostealer and Rootkit - Threat Intel - IFIN

= 40rem)" rel="stylesheet" data-target="desktop" />

= 40rem)" rel="stylesheet" data-target="discourse-reactions_desktop" /><br>= 40rem)" rel="stylesheet" data-target="poll_desktop" />

= 40rem)" rel="stylesheet" data-target="desktop_theme" data-theme-id="2" data-theme-name="discourse gifs"/><br>= 40rem)" rel="stylesheet" data-target="desktop_theme" data-theme-id="-2" data-theme-name="horizon"/>

400+ AUR Packages Compromised with Infostealer and Rootkit

Threat Intel

ebpf,<br>rootkit,<br>linux,<br>supplychain

mttaggart

(Taggart)

June 12, 2026, 4:35am

Last Updated: 2026-06-12T04:22:42Z

What’s Happening

It appears a new AUR package maintainer (arojas) adopted and infected 408+ packages. The compromise was reported and other AUR maintainers have been working to remove the infected packages.

AUR REPORT THREAD - Aur-general - lists.archlinux.org

The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload.

Here’s an example of the change:

updpkg - aur.git - AUR Package Repositories

This blog has a deep dive into the attack.

Preliminary analysis of AUR malware

Malware Analysis Report: deps

Report date: 2026-06-11<br>VT Link<br>Triage Link

Note: The following report was very hastily written by Codex.<br>(I have fact-checked it against the IDA decompilation though 🐉)

Scope and Handling

This report summarizes...

Actions

If you don’t use Arch (btw), you’re fine.

Arch users: review the list of affected packages and use this script to check your exposure: aur_check.sh · GitHub

Review the Ioctl blog for the indicators of compromise and if found, preserve the system for forensic investigation as appropriate.

If packages are found, follow normal compromise procedures. Rotate all credentials and consider reinstalling Arch. The possibility of a rootkit removes the possibility of system trust.

Notes

Most of these packages are rare, but the scope is significant. Also, it’s rare to see a supply chain attack of this nature go so far as an eBPF rootkit in addition to infostealer behavior.

Socket.dev has the malicious NPM package. It shows 134 downloads.

https://socket.dev/npm/package/atomic-lockfile

1 Like

Powered by Discourse, best viewed with JavaScript enabled

packages data rootkit 40rem stylesheet target

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.