Over 400 Arch Linux AUR Packages Hijacked to Deliver Credential Stealer and eBPF Rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR) this week, rewriting build scripts to deploy a Rust-based credential stealer and an optional eBPF rootkit. The campaign, tracked as Atomic Arch by Sonatype, targeted developer workstations and build systems by modifying the PKGBUILD files of orphaned packages.

As of June 12, the confirmed list of affected packages exceeded 408 entries, with community trackers still updating the count. The Arch Linux official repositories were not compromised. Any user who installed or updated an AUR package on or after June 11 should validate their system against published package lists.

How the hijacking worked

The attackers abandoned packages whose maintainers had stepped away. They adopted them through the AUR's normal process and edited the build instructions to execute an npm package called atomic-lockfile@1.4.2 during the build step. That package carried a preinstall hook that ran a bundled Linux ELF binary named deps. Building the package triggered the payload instantly. The attackers also spoofed git commit metadata to make the changes appear to come from a long-standing maintainer, though the Arch Linux Trusted User confirmed that account was never compromised.

Confirmed hijacked packages reported to the Arch mailing list include alvr and premake-git. A second wave used a different npm package, js-digest, pushed from separate accounts linked to the same publisher. Its payload was a different ELF binary, also flagged as malicious.

What the malware does

Independent researcher Whanos reverse-engineered the deps payload and described a Rust-based credential stealer targeting developer environments:

• Cookies, tokens, and local storage from Chromium-based browsers (Chrome, Edge, Brave)
• Session data from Electron apps including Slack, Discord, and Microsoft Teams
• GitHub, npm, and HashiCorp Vault tokens, plus OpenAI and ChatGPT bearer material
• SSH keys, known_hosts, shell histories, Docker and Podman credentials, VPN profiles

Stolen data is exfiltrated over HTTP to temp.sh, with command and control routed through a Tor onion service via a local loopback proxy. For persistence, the malware installs a systemd service with Restart=always. With root, it copies itself under /var/lib/ and writes a unit in /etc/systemd/system/. As a normal user, it uses the home directory and a per-user unit. The eBPF rootkit loads only when the binary already has root and the correct capability. It hides its own processes, process names, and socket inodes using pinned BPF maps, and it kills debugger attachments. Cleanup advice: removing the AUR package is not sufficient once the payload has executed on a root-privileged system.

What users should do now

Arch maintainers are resetting malicious commits, banning attacker accounts, and asking users to report suspicious packages via the mailing-list thread. The published affected-package list should be treated as incomplete. Users should check any AUR package installed or updated on or after June 11 against community-compiled lists. The atomic-lockfile npm package, which showed only 134 weekly downloads on Socket before removal, highlights that the real exposure path is through AUR builds, not direct npm installs. Socket also reported second-wave packages using js-digest, so users should check for both indicators.