
Arch AUR Breach Hits 400+ Packages with Rootkit and Credential Stealer
Over 400 Arch User Repository packages were compromised after a spoofed maintainer injected malicious post-install steps that install a rogue npm package (atomic-lockfile) containing a Linux ELF with an eBPF rootkit and credential-stealing capabilities. The malware targets developer data and tokens across tools like Slack, Teams, Discord, GitHub, Vault, and SSH, and can exfiltrate data via HTTP. Researchers from IFIN and Sonatype describe two attack methods: hijacking orphaned PKGBUILD files to run npm post-install, and abusing a trusted maintainer identity to push malicious commits. Arch is removing the malicious commits and banning accounts; affected users should review indicators of compromise, rotate credentials, and consider reinstalling Arch if compromised.
