Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: aur (1 article)Clear

Over 400 Arch Linux AUR packages hijacked to drop stealer and rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.

Check
List AUR packages installed or updated since June 9 and diff their PKGBUILD and install scripts, flagging any that invoke npm, pip, or cargo for no clear reason.
Affected
Arch Linux and Arch-based systems where AUR packages were installed or updated on or after June 9 via helpers like yay or paru; root installs also expose an eBPF rootkit.
Fix
Remove affected packages and rotate all credentials, SSH keys, tokens, and wallets from the host. If a package ran as root, rebuild the machine; the rootkit makes in-place cleanup untrustworthy.