More than 400 packages in the Arch User Repository (AUR) have been compromised to deliver a credential stealer and eBPF rootkit aimed squarely at developer workstations and build environments. The campaign, disclosed June 12, abuses AUR’s community-trust model through two parallel vectors and pivots across ecosystems: poisoned PKGBUILDs invoke npm to fetch the actual payload.
What happened
Researchers from the Independent Federated Intelligence Network (IFIN) report that a new AUR maintainer spoofing a trusted publisher pushed infected packages whose preinstall scripts download and execute a malicious npm package named atomic-lockfile. Separately, Sonatype identified at least 20 orphaned AUR packages that were adopted and had their PKGBUILD files modified with a post-install script that installs the same atomic-lockfile package via npm.
That cross-registry hop is the notable design choice here. AUR PKGBUILDs are arbitrary Bash run with user trust, and routing the payload through npm gives the attacker a single, swappable distribution point while the 400+ AUR packages act as the fan-out layer.
Technical details
Independent researcher Whanos analyzed a sample containing a Linux ELF payload named deps: a credential stealer with optional root-only eBPF rootkit capabilities. When it can load eBPF programs, the malware runs with kernel-level visibility and can hide processes, files, and network interfaces — Sonatype’s analysis of the binary corroborates the rootkit references.
The stealer targets exactly what lives on an infrastructure engineer’s machine: GitHub credentials and npm tokens, SSH artifacts, HashiCorp Vault tokens, Docker/Podman configs, VPN material, shell histories, browser cookie databases, and Electron app data from Slack, Microsoft Teams, Discord, and Telegram. The binary includes archiving, multi-part file handling, and HTTP upload functionality — a complete exfiltration pipeline.
No CVE applies; this is malicious package distribution, not a software vulnerability.
Impact
AUR is unvetted by design, and most Arch-based systems (including derivatives like Manjaro and EndeavourOS users pulling from AUR) rely on it for software outside official repos. Anyone who installed or updated one of the affected packages — or whose CI images build from AUR — should assume credential compromise. Because the rootkit component runs in the kernel via eBPF, a compromised host can actively hide the evidence: process listings, on-disk artifacts, and network connections may all lie to you.
AUR maintainers are identifying and removing malicious commits and banning the accounts involved. Arch package maintainer Jonathan Grotelüschen has asked users to report any malicious packages they find. This is not AUR’s first malware incident — Chaos RAT packages were pulled in July 2025 — but it is by far the largest.
What to do right now
First, check for infection. Michael Taggart (IFIN) points to a community detection script that checks for atomic-lockfile on the system. Review the affected-package list and IoCs in Whanos’s preliminary analysis. Audit pacman logs for recently installed or updated AUR packages, and grep PKGBUILDs in your build cache for npm invocations that have no business being there. bpftool prog list output is worth capturing from a trusted boot environment, since a live compromised kernel may filter it.
If you find it, treat the host as fully compromised. Rotate everything the stealer targets: GitHub and npm tokens, SSH keys, Vault tokens, Docker registry creds, VPN configs, and any session cookies. Given the rootkit component, reinstall from scratch rather than attempting cleanup — an eBPF-resident implant can survive normal remediation and there is no reliable way to trust the machine again from inside it.
Longer term: pin and read PKGBUILDs before installing (paru/yay both support diff review — actually read them), be suspicious of orphaned packages that suddenly get adopted, and keep AUR out of production build images entirely. Official repos plus a vendored, hash-checked toolchain is the boring answer, and the right one.