The Attack Method
Attackers hijacked more than 400 packages in the Arch User Repository (AUR) by targeting orphaned projects whose maintainers had abandoned them. Once adopted, the attackers altered the build scripts, specifically the PKGBUILD or .install files, to execute a malicious npm package called atomic-lockfile during compilation. This approach exploited the trust inherent in established package names and histories, rather than exploiting a software vulnerability. The official Arch Linux repositories were not affected.
Malware Capabilities
The malicious payload is a Rust binary designed to steal credentials and sensitive data from developer systems. It targets browser cookies and tokens from Chromium-based browsers, session data from Electron apps like Slack and Discord, API tokens for GitHub and OpenAI, SSH keys, shell histories, and Docker credentials. Stolen data is exfiltrated via HTTP and command and control is routed through a Tor onion service. When executed with root privileges, the malware can optionally deploy an eBPF rootkit that hides its own processes from standard system tools and blocks debugger attachments.
Scope and Response
The scope of the attack expanded rapidly, with community trackers identifying over 400 compromised packages within a day. A second wave using a different npm package, js-digest, was also detected. Arch maintainers are resetting malicious commits and banning associated accounts. Users who installed or updated any AUR package on or after June 11 should check community lists of affected packages, rotate all potentially stolen credentials, and inspect systems for persistence mechanisms like unknown systemd services or files in /var/lib/. If a package ran with root privileges, a full reinstall from trusted media is recommended.
Source: https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html
