www.it-connect.fr
Arch Linux AUR Hit by Massive Malware Campaign Targeting 400+ Packages
In recent days, Arch Linux's AUR community repository has been targeted by a malware distribution campaign: numerous user-maintained packages received malicious commits that attempted to add a malware download via npm during installation. Here's what we know about this security incident.
Bad news for Arch Linux users: the AUR (Arch User Repository) is affected by a major security incident, as more than 400 packages infected with a rootkit and an infostealer were distributed to users. As a reminder, the AUR is a community repository that complements the official Arch Linux repositories, notably by providing access to tools not included there. It is worth noting that the official Arch Linux repositories are not affected.
On June 11, 2026, the alert was posted to the Arch Linux "aur-general" mailing list, where a dedicated thread was opened to centralize tracking of the compromised packages. Suspicious changes were detected in packages, including the addition of npm commands that had nothing to do with the original software. The attack apparently happens during package installation, with malicious packages such as atomic-lockfile being installed.
This same page also mentions around 408 infected packages with the addition of the command npm install atomic-lockfile something something in their PKGBUILD build script. The AUR package alvr is a good example: a suspicious update introduced npm-related behavior, even though this software does not normally use that tool.
Who was behind these mass modifications? A new maintainer impersonating a well-known publisher in order to push infected packages.
Atomic-lockfile: a data stealer with an eBPF rootkit
The independent researcher Whanos analyzed a sample of atomic-lockfile and found an ELF payload named deps inside it. This is malware with two sides: an infostealer combined with rootkit capabilities based on eBPF technology, which can be enabled only with root privileges. Above all, this allows it to operate more stealthily on the infected machine.
The target profile leaves little doubt about the attackers' intentions. According to Whanos: "It is designed for developer workstations and build environments. It targets browser data and Electron applications, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN hardware, shell histories, and other local developer secrets."
As a result, this malware targets application data, GitHub credentials, SSH keys, and browser session cookies. A classic approach, with a few additions tailored to developers.
What precautions should you take?
On the AUR side, maintainers are working to identify and remove all malicious commits, as well as ban the accounts behind these uploads. We can assume the necessary steps have now been taken, a few days after this alert.
In any case, be careful if you use Arch Linux and the AUR repository. The list of vulnerable packages is available in the AUR mailing list mentioned above. You also have this script available on GitHub that detects the presence of the atomic-lockfile malware on the system by analyzing the list of installed packages.
The AUR relies on user contributions, which means it is easier for attackers to publish malicious packages or attempt to tamper with existing ones. This is not the first time the AUR has been targeted; I remember a campaign designed to deliver the Chaos RAT malware, but it was less significant than this one.
