RSS

Over 400 Arch Linux packages compromised to push rootkit, infostealer

saghm1 pts0 comments

Over 400 Arch Linux packages compromised to push rootkit, infostealer

Home<br>News<br>Security<br>Over 400 Arch Linux packages compromised to push rootkit, infostealer

Over 400 Arch Linux packages compromised to push rootkit, infostealer

By Bill Toulas

June 12, 2026

01:03 PM

More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.

A report from the open-source intelligence community Independent Federated Intelligence Network (IFIN) notes that a new maintainer is spoofing a trusted publisher on the AUR platform to push infected packages.

The Arch Linux distribution is popular among power users and developers, using the AUR catalog to provide the latest versions for installed software, drivers, and the kernel.

AUR is a community-maintained repository for the Arch distribution that contains package build scripts (PKGBUILDs) with instructions for downloading, compiling, and installing software not available in Arch&rsquo;s official repositories.

AUR is considered essential for any Arch-based distribution because it contains proprietary applications, beta/nightly versions of open-source software, niche utilities, and older versions of packages that retain functionality which may have been removed in later releases.

However, it is not a vetted space, and threat actors can use it to push malware through packages that change ownership without anyone noticing.

According to IFIN member Michael Taggart, the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.

Independent security researcher Whanos notes that one sample of the atomic-lockfile included a Linux ELF payload named deps, which was a "credential stealer with optional root-only eBPF [extended Berkeley Packet Filter] rootkit capabilities."

"It is designed for developer workstations and build environments. It targets browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets," Whanos says in the report.

With eBPF technology present, the malware can run inside the kernel with elevated privileges and hide local processes.

Supply-chain management company Sonatype also published a report on a campaign targeting the AUR repository and delivering the malicious atomic-lockfile npm package, but using a different method.

Sonatype researchers say that the threat actor hijacked at least 20 orphaned packages on AUR and pushed atomic-lockfile by modifying the PKGBUILD file - a Bash script with the build information needed by Arch Linux packages.

According to the report, the attacker added a post-install script to invoke npm and retrieve the malicious package.

"The modified packages add a post-install script that invokes npm and installs atomic-lockfile during package installation," Sonatype says.

However, analysis showed that the npm package installed a Linux executable with references to an eBPF rootkit that could hide processes, files, and network interfaces.

Additionally, the Linux binary indicates that it has infostealer functionality, targeting the following types of sensitive information:

GitHub credentials

SSH artifacts

HashiCorp Vault tokens

Browser cookie databases

Slack data

Discord data

Microsoft Teams data

Telegram data

Sonatype determined that the binary can archive data, handle multi-part files, and perform HTTP uploads, so the functionality for a typical exfiltration mechanism is present.

AUR maintainers are working to identify and remove all malicious commits, and to ban the accounts pushing them.

In a message to the community, Arch Linux package maintainer Jonathan Grotel&uuml;schen urged users to report any malicious package they find.

As a general rule, it&rsquo;s recommended to only trust projects with frequent updates and an active community around them.

Arch users are advised to review the list of affected packages and look for the indicators of compromise provided in the report from Whanos.

Michael Taggart also pointed to a script that checks for the atomic-lockfile malware on the system.

If compromised packages are found, users should rotate all credentials and consider reinstalling Arch from scratch, since a rootkit may survive normal cleaning efforts.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages<br>Popular node-ipc npm package compromised to steal credentials<br>PyPI package with 1.1M monthly downloads hacked to push infostealer<br>New npm supply-chain attack self-spreads to steal auth tokens<br>New...

packages arch linux package rootkit compromised

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.