{"id":271498,"date":"2026-06-12T15:24:00","date_gmt":"2026-06-12T19:24:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/12\/over-400-arch-linux-aur-packages-hijacked-to-deploy-infostealer-and-ebpf-rootkit\/"},"modified":"2026-06-12T15:35:08","modified_gmt":"2026-06-12T19:35:08","slug":"over-400-arch-linux-aur-packages-hijacked-to-deploy-infostealer-and-ebpf-rootkit","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/12\/over-400-arch-linux-aur-packages-hijacked-to-deploy-infostealer-and-ebpf-rootkit\/","title":{"rendered":"Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/400-arch-linux-aur-packages-hijacked-to.html\">Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/400-arch-linux-aur-packages-hijacked-to.html\">https:\/\/thehackernews.com\/2026\/06\/400-arch-linux-aur-packages-hijacked-to.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-12 15:24:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.<\/p>\n<p>The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux&#8217;s community package collection, and it is separate from the official Arch repositories, which were not affected.<\/p>\n<p>If you installed or updated an AUR package on or after June 11, check it against the current affected-package lists before trusting the host. The list of names is large, still growing, and not yet complete.<\/p>\n<p>This attack goes after the trust model, not a software flaw. The compromised packages kept their names, their histories, and the trust that came with them. Only the build instructions changed.<\/p>\n<p>The trap sat in the recipe, leaving the package itself looking exactly like the software users meant to install. No exploit, no zero-day, and no sign Arch&#8217;s own systems were breached.<\/p>\n<p>The attackers adopted abandoned packages, edited the build files, and let users run the payload for them. Sonatype, which named the campaign Atomic Arch, found them going after orphaned projects: packages whose maintainers had walked away, leaving them open for anyone to adopt.<\/p>\n<p>They also spoofed git commit metadata so the changes looked like they came from a long-standing maintainer, an account an Arch Linux Trusted User later confirmed was never compromised.<\/p>\n<p>Once a package was adopted, its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build, pulling the malicious npm package alongside a couple of legitimate ones for cover. That package, atomic-lockfile@1.4.2, carries a preinstall hook that runs a bundled Linux ELF named deps. Build the package, and the binary runs.<\/p>\n<p>Confirmed examples reported to the Arch mailing list include the alvr and premake-git packages.<\/p>\n<h2>What the malware&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/400-arch-linux-aur-packages-hijacked-to.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit https:\/\/thehackernews.com\/2026\/06\/400-arch-linux-aur-packages-hijacked-to.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":271499,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjoaB3XILLCN-oMr8vicgye6mcqKGYsgqgxPAGunmwASyrP3c7XgAxJTV8tsVPuRSmJ8ia7SZdS8hyphenhyphenb6moPI2QiwkdKoI2E_zchlBfqx1KnfFpb3yKHQQY6qCWyKmkSK_12texqsHTxtYnv8kMMpzJ-SEFxR7Ougz0axLPVr5zDAWQiZY8pEtUUL8L4hmri\/s1600\/arch-hack.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[99,31,89,36,71,32],"class_list":["post-271498","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-arch-linux","tag-exploit","tag-flaw","tag-infostealer","tag-linux","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/271498"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=271498"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/271498\/revisions"}],"predecessor-version":[{"id":271500,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/271498\/revisions\/271500"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/271499"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=271498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=271498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=271498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}