Latest
Malware

Malicious AUR Packages Hit Arch Linux With a Credential Stealer and Kernel Rootkit

Malicious AUR Packages Hit Arch Linux With a Credential Stealer and Kernel Rootkit

More than 400 packages in the Arch User Repository (AUR) are currently being distributed with a combination of Linux rootkits and infostealer malware designed to steal user credentials and access token information.

A recent report by the independent, open-source intelligence group Independent Federated Intelligence Network (IFIN) stated that a new maintainer is impersonating a well-known publisher within the AUR environment to distribute malicious packages to users.

  • Arch Linux is used as a base operating system by many advanced users and developers. The primary reason for this is its ability to utilize the AUR catalog to acquire current builds of software, drivers and kernels.
  • AUR is a community-created repository for the Arch distribution which provides package build scripts (PKGBUILDs). These scripts contain directions for users to download, compile, install and manage software not part of the Arch official repositories.
  • AUR is seen as critical to most distributions based upon Arch due to its availability of proprietary applications, nightly/beta versions of open-source software, specialized tools and legacy versions of software where features were removed from newer builds.

While AUR provides numerous benefits to Arch users, such as acquiring additional software options, there are risks associated with utilizing the service. One major risk is that it is not a vetted environment. Threat actors can leverage AUR's lack of vetting to create malicious packages with preinstalled scripts that will be executed automatically when a package changes owner.

According to IFIN member Michael Taggart, the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.

Independent security researcher Whanos noted that one version of atomic-lockfile contained an ELF payload for Linux called "deps". This payload is described as a "credential stealer with optional root-only eBPF (Extended Berkeley Packet Filter) rootkit capabilities".

"atomic-lockfile is targeted at developer workstation build environments," Whanos continued. "It accesses data stored in browser and Electron applications, Slack, Microsoft Teams, Discord, GitHub, npm, HashiCorp Vault, Docker/Podman, SSH/VPN secrets and shell histories and other local developer secrets."

Due to the inclusion of eBPF technology, the malware can run as a module inside the kernel with elevated privileges, allowing it to hide processes locally.

On June 28th, supply chain management firm Sonatype released their own report detailing how atomic-lockfile was utilized in a campaign targeting the AUR repository. However, unlike IFIN's findings, Sonatype reports that the attackers used a different tactic.

Sonatype researchers claim that the attackers took advantage of at least 20 orphaned packages on the AUR repository. They then modified the PKGBUILD file (a bash script that holds build information necessary for Arch Linux packages) in each of these packages and created a post-install script that invoked npm and retrieved the malicious package.

According to Sonatype, "the modified packages add a post-install script that invokes npm and installs atomic-lockfile during package installation."

Upon further analysis, it was discovered that the npm package installed a Linux binary containing references to an eBPF rootkit that would allow the attacker to hide processes, files and network interfaces. Additionally, the Linux binary indicated that it had infostealer functionality targeting sensitive information types including:

  • GitHub credentials
  • SSH artifacts
  • HashiCorp Vault tokens
  • Browser cookie databases
  • Slack data
  • Discord data
  • Microsoft Teams data
  • Telegram data

Based on Sonatype's findings, they concluded that the binary was capable of archiving data, handling multi-part files and performing HTTP uploads, thus creating a common exfiltration mechanism.

AUR maintainers have begun identifying and removing all malicious commits. In addition to removing the commits, AUR maintainers are taking steps to ban the accounts responsible for pushing these malicious commits.

Jonathan Grotelüschen, an Arch Linux package maintainer, posted a message to the community urging users to report any malicious packages they discover.

Generally speaking, it is best practice to only trust projects with frequent updates and active communities surrounding them.

Users of Arch Linux are encouraged to review the list of affected packages and look for indicators of compromise (IOCs) as listed in Whanos' report.

Additionally, Michael Taggart posted a script to check for malware associated with atomic-lockfile.

If users determine that their systems are impacted by compromised packages, they should rotate all credentials and consider rebuilding Arch from scratch, due to the possible persistence of a rootkit surviving normal cleaning efforts.

More in Malware & Ransomware

The Gentlemen Rapidly Rises to Ransomware Prominence
Malware

The Gentlemen Rapidly Rises to Ransomware Prominence

Jun 16, 2026 6 min read
2026: The Year of AI-Assisted Attacks
Malware

2026: The Year of AI-Assisted Attacks

Jun 6, 2026 6 min read
SSHStalker botnet attacks 7,000 Linux systems with brute force
Malware

SSHStalker botnet attacks 7,000 Linux systems with brute force

Apr 7, 2026 5 min read
13 Methods Attackers Use Generative AI to Compromise Your Systems
Malware

13 Methods Attackers Use Generative AI to Compromise Your Systems

Apr 4, 2026 9 min read