More than 400 packages within the **Arch User Repository (AUR)** are actively distributing a sophisticated Linux rootkit and infostealer malware. This extensive compromise targets critical credentials and access tokens, posing a severe threat to **Arch Linux** power users and developers. ### The Attack Vector: Spoofed Maintainers and Malicious Packages Reports from the open-source intelligence community **Independent Federated Intelligence Network (IFIN)** indicate that a new maintainer is impersonating a trusted publisher on the **AUR** platform. This tactic allows them to inject infected packages into the community-maintained repository. **AUR** is a crucial resource for **Arch Linux** users, providing access to a vast catalog of software, drivers, and kernel versions not available in official repositories. However, its community-driven nature means it's not a vetted space, making it susceptible to supply-chain attacks where package ownership changes can go unnoticed. ### The Malware: `atomic-lockfile` – A Rootkit and Infostealer Hybrid According to **IFIN** member **Michael Taggart**, the compromised packages are modified with preinstall scripts that download and execute a malicious **npm** package named `atomic-lockfile`. Independent security researcher **Whanos** provided a preliminary analysis, identifying a Linux **ELF** payload named `deps` within `atomic-lockfile`. This payload is described as a "credential stealer with optional root-only **eBPF** [extended Berkeley Packet Filter] rootkit capabilities." The malware is specifically designed to target developer workstations and build environments. **Whanos** notes that the infostealer functionality targets an extensive list of sensitive data, including: * Browser and **Electron** application data * **Slack**, **Microsoft Teams**, and **Discord** data * **GitHub** credentials * **npm** tokens * **HashiCorp Vault** tokens * **Docker/Podman** artifacts * **SSH** keys * **VPN** material * Shell histories * Other local developer secrets The presence of **eBPF** technology grants the malware elevated privileges, allowing it to run within the kernel and effectively hide local processes, making detection and removal significantly more challenging. ### Sonatype's Findings: Hijacked Orphaned Packages Supply-chain management company **Sonatype** also published a report detailing a similar campaign targeting the **AUR** repository, though using a slightly different method to deliver the `atomic-lockfile` **npm** package. **Sonatype** researchers observed threat actors hijacking at least 20 orphaned packages on **AUR**. The attackers modified the **PKGBUILD** file – a **Bash** script containing build information for **Arch Linux** packages – to add a post-install script. This script invokes **npm** to retrieve and install the malicious `atomic-lockfile` package during the normal package installation process. **Sonatype**'s analysis confirmed the presence of a Linux executable with references to an **eBPF** rootkit capable of hiding processes, files, and network interfaces. The binary also exhibited infostealer capabilities, with functionality for data archiving, multi-part file handling, and **HTTP** uploads, indicating a robust exfiltration mechanism. ### Community Response and User Guidance **AUR** maintainers are actively working to identify and remove all malicious commits and ban the associated accounts. **Arch Linux** package maintainer **Jonathan Grotelüschen** has urged the community to report any suspicious packages they encounter. For **Arch Linux** users, it is generally recommended to only trust projects with frequent updates and an active, engaged community. Users are advised to: * Review the list of affected packages, which can be found in the report from **Whanos**. * Look for indicators of compromise (IOCs) provided in the reports. * Utilize a script, shared by **Michael Taggart**, that checks for the `atomic-lockfile` malware on their systems. If compromised packages are discovered, users should immediately rotate all credentials and seriously consider a full reinstallation of **Arch Linux** from scratch. The persistent nature of a rootkit, especially one leveraging **eBPF**, means it may survive standard cleaning efforts, necessitating a complete system wipe to ensure full remediation.