400+ Arch Linux AUR Packages Compromised to Push eBPF Rootkit and Infostealer

More than 400 packages in the Arch User Repository (AUR) have been compromised to distribute a Linux rootkit and infostealer malware designed to harvest developer credentials, access tokens, and session data, according to a report from the open-source intelligence community Independent Federated Intelligence Network (IFIN). The attacker is reportedly a newly registered maintainer spoofing a trusted publisher on the AUR platform, a community-driven catalog of PKGBUILD scripts that Arch Linux and Arch-based distributions rely on for bleeding-edge software, drivers, and kernel builds. Because AUR packages are not formally vetted, ownership changes and malicious post-install scripts can slip through unnoticed by end users.

The infection chain hinges on a malicious npm package called atomic-lockfile, which is fetched during the preinstall or post-install phase of the compromised packages. Independent researcher Whanos analyzed a sample of the payload and identified a Linux ELF binary named deps that functions as a credential stealer with optional root-only eBPF (extended Berkeley Packet Filter) rootkit capabilities. The malware specifically targets browser and Electron application stores, Slack tokens, Microsoft Teams credentials, Discord sessions, GitHub and npm tokens, HashiCorp Vault secrets, Docker and Podman configuration, SSH keys, VPN configuration material, and shell history files. The eBPF component allows the implant to operate inside the kernel with elevated privileges, enabling it to hide local processes, files, and network interfaces from the host system.

Supply-chain security firm Sonatype published a parallel report confirming a related campaign in which the threat actor hijacked at least 20 orphaned AUR packages and modified their PKGBUILD files to invoke npm and install atomic-lockfile at install time. Analysis of the resulting Linux binary showed clear references to an eBPF rootkit module, reinforcing the assessment that the operation is focused on long-term persistence on developer workstations and build environments. The dual reports from IFIN and Sonatype underscore a growing trend of npm-based malware being used as a delivery mechanism for native Linux payloads, and they highlight how maintainer impersonation combined with orphaned-package takeovers can produce widespread exposure within a single distribution community.

Developers and system administrators running Arch-based distributions should immediately audit recently installed or updated AUR packages, review maintainer changes for any packages they trust, and rotate any credentials, tokens, and SSH keys present on systems that may have run an infected build. It is also worth verifying that no suspicious kernel modules or eBPF programs are loaded. Operators can use our free privacy checkup to review their overall exposure, run a password checker to evaluate the strength of stored credentials, and perform a port scanner to detect any unexpected listeners that a kernel-level rootkit may have masked. Until Arch upstream introduces stronger publisher verification for AUR, treating any PKGBUILD change as a potential supply-chain event remains the most reliable defensive posture.