Over 400 Arch Linux packages compromised to push rootkit, infostealer
Over 400 Arch Linux packages compromised to push rootkit, infostealer
Publish Date: 2026-06-12 13:03:00
Source Domain: www.bleepingcomputer.com
More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.
A report from the open-source intelligence community Independent Federated Intelligence Network (IFIN) notes that a new maintainer is spoofing a trusted publisher on the AUR platform to push infected packages.
The Arch Linux distribution is popular among power users and developers, using the AUR catalog to provide the latest versions for installed software, drivers, and the kernel.
AUR is a community-maintained repository for the Arch distribution that contains package build scripts (PKGBUILDs) with instructions for downloading, compiling, and installing software not available in Arch’s official repositories.
AUR is considered essential for any Arch-based distribution because it contains proprietary applications, beta/nightly versions of open-source software, niche utilities, and older versions of packages that retain functionality which may have been removed in later releases.
However, it is not a vetted space, and threat actors can use it to push malware through packages that change ownership without anyone noticing.
According to IFIN member Michael Taggart, the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.
Independent security researcher Whanos notes that one sample of the atomic-lockfile included a Linux ELF payload named deps, which was a “credential stealer with optional root-only eBPF [extended Berkeley Packet Filter] rootkit capabilities.”
“It is designed for developer workstations and build environments. It targets browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets,” Whanos says in the report.
With eBPF technology present, the malware can run inside the kernel…
