Massive Supply Chain Attack Hits Arch Linux Repository

More than 400 packages in the Arch User Repository (AUR) have been compromised to distribute a Linux rootkit and infostealer malware, targeting developer credentials and access tokens. The attack, uncovered by the open-source intelligence community Independent Federated Intelligence Network (IFIN), represents a significant supply chain threat for organizations running Arch-based Linux environments.

What Is AUR and Why Does It Matter?

The Arch User Repository (AUR) is a community-maintained catalog of package build scripts used to install software not available in Arch Linux’s official repositories. It is considered essential infrastructure for Arch-based distributions, hosting proprietary applications, beta software, niche utilities, and legacy package versions.

However, AUR is not a vetted environment. Threat actors can exploit ownership changes in packages to inject malicious code — often without detection.

How the Attack Works

According to IFIN member Michael Taggart, the compromised packages contain modified preinstall scripts that download and execute a malicious npm package named atomic-lockfile. A new maintainer is actively spoofing a trusted publisher on the platform to push these infected packages.

Supply-chain security firm Sonatype independently confirmed the campaign, reporting that the threat actor also hijacked at least 20 orphaned AUR packages by modifying their PKGBUILD Bash scripts to invoke npm and retrieve atomic-lockfile during installation.

A Dual-Threat Payload: Rootkit and Infostealer

Independent security researcher Whanos analyzed a sample of atomic-lockfile and identified a Linux ELF binary named deps — described as a “credential stealer with optional root-only eBPF rootkit capabilities.”

Using eBPF (extended Berkeley Packet Filter) technology, the malware can operate inside the kernel with elevated privileges, hiding local processes, files, and network interfaces from detection tools.

The malware is specifically engineered to target developer workstations and build environments. It actively harvests the following sensitive data:

Sonatype confirmed the binary also supports data archiving, multi-part file handling, and HTTP uploads — providing a complete exfiltration mechanism ready for operational use.

Response and Remediation

AUR maintainers are actively working to identify and remove all malicious commits and ban associated accounts. Arch Linux package maintainer Jonathan Grotelüschen has urged the community to report any suspicious packages immediately.

Affected users are strongly advised to take the following steps:

Key Takeaway for Security Leaders

This attack underscores the growing risk of open-source supply chain compromises in developer environments. Organizations relying on community-maintained repositories must enforce strict package vetting policies and monitor for unauthorized changes in build scripts.

As a baseline security practice, teams should only trust AUR packages with frequent updates and an active, verifiable community — and should treat any package change of ownership as a potential red flag.