ALERT: 400+ Arch Linux AUR Packages HIJACKED – Your SSH Keys, Tokens & Crypto Are Being STOLEN Right Now! + Video

By /

Listen to this Post

Featured Image

Introduction:

The Arch User Repository (AUR) is a community-driven goldmine for Arch Linux users, but its trust-based model has been weaponized. In the “Atomic Arch” campaign, attackers hijacked over 400 abandoned packages by adopting them and modifying their build scripts to inject a Rust-based credential stealer. This malware is designed to exfiltrate developer secrets, SSH keys, and browser tokens, and if run with root privileges, it deploys an eBPF rootkit for maximum stealth.

Learning Objectives:

  • Identify compromised AUR packages and understand the “Atomic Arch” supply chain attack vector.
  • Implement detection, mitigation, and remediation steps, including systemd persistence hunting and rootkit detection.
  • Harden your Linux environment against future repository-based attacks using PKGBUILD inspection and sandboxing techniques.

You Should Know:

  1. How the “Atomic Arch” Supply Chain Attack Worked
    This attack exploited the trust placed in package names rather than maintainers, setting a dangerous precedent for Linux repositories. It began when attackers, using the username arojas, systematically scoured the AUR for orphaned packages with inactive maintainers. After adopting these projects, they modified the `PKGBUILD` build scripts or `.install` hook files, inserting a command to execute `npm install atomic-lockfile` during the build process. This malicious npm package contained a preinstall hook that downloaded and executed a Linux ELF binary named deps, the primary credential stealer.

Step‑by‑step guide to understanding the infection chain:

1. Adoption: Attacker adopts an abandoned AUR package.

  1. Injection: The `PKGBUILD` is edited to include npm install atomic-lockfile.
  2. Execution: A user builds the package using a helper like `yay -S ` or manually with makepkg -si.
  3. Payload: The `deps` binary executes, stealing data from the user’s machine.

2. Detecting Compromised AUR Packages

If you have installed or updated any AUR packages on or after June 11, 2026, your system may be compromised. The best defense is proactive detection, which you can perform by scanning your system’s build logs and package cache for the tell-tale signs of the malicious npm packages.

Step‑by‑step guide to detection:

  1. Check for malicious install hooks: Search your `makepkg` logs and package caches for the exact malicious commands used in the attack. 
    grep -r "npm install atomic-lockfile" ~/.cache/yay/ /var/tmp/ ~/.cache/pikaur/ 2>/dev/null
grep -r "bun install js-digest" ~/.cache/yay/ /var/tmp/ 2>/dev/null
grep -r "src/hooks/deps" /var/log/ ~/.cache/ 2>/dev/null
  2. List all foreign packages: Generate a list of all explicitly installed AUR packages and cross-reference it with community-maintained blacklists. 
    pacman -Qqm > ~/aur_packages.txt
  3. Verify package integrity: Check the `PKGBUILD` for any recently adopted or updated packages. 
    For an installed AUR package, clone its source to inspect the build file
git clone https://aur.archlinux.org/<package-1ame>.git
cd <package-1ame>
cat PKGBUILD | grep -E "(npm|bun|curl|wget|install)"

  4. Malware Deep Dive: The ‘deps’ Stealer and eBPF Rootkit
    The payload is a sophisticated tool that prioritizes developer environments and cloud infrastructure. It uses multiple stages of evasion, starting with a simple credential harvester and escalating to a kernel-level rootkit if it detects it has root permissions. This dual nature makes it both a broad-spectrum threat and a targeted espionage tool.

What the malware does:

The `deps` binary, written in Rust, targets the following data:
– Browser Credentials: Cookies, saved logins, and local storage from Chrome, Edge, Brave, and Electron apps (Slack, Discord, Teams).
– Developer Secrets: SSH keys, known_hosts, GitHub, npm, and HashiCorp Vault tokens.
– Cloud & Infrastructure: Docker and Podman credentials, VPN profiles.
– Persistence & Exfiltration: It installs a `systemd` service for persistence and exfiltrates data via HTTP to temp.sh, using a Tor onion service for C2 communication.

4. Windows Commands for Cross-Platform Credential Rotation

While the primary attack targets Linux workstations, the stolen credentials (tokens, SSH keys, browser sessions) are often used to pivot to Windows-based cloud infrastructure or developer workstations. Compromised tokens, especially for CI/CD pipelines, can lead to cross-platform supply chain attacks. Therefore, rotating credentials on all platforms is critical.

Step‑by‑step guide to credential hygiene from a Windows admin perspective:
If you suspect a developer’s machine was used to exfiltrate cloud tokens, perform these actions immediately from a clean Windows admin environment.

1. Revoke GitHub and npm tokens via CLI:

 Install GitHub CLI first: winget install --id GitHub.cli
gh auth login
 List and revoke all tokens for a user
gh api /authorizations --jq '.[] | "(.id): (.note)"'
gh api -X DELETE /authorizations/<TOKEN_ID>

2. Rotate all active SSH keys (PowerShell):

 For each server in your inventory, use OpenSSH to remove the compromised key
ssh -o "BatchMode yes" user@server "sed -i '/COMPROMISED_KEY_PUBLIC_STRING/d' ~/.ssh/authorized_keys"

3. Clear browser sessions (Chromium-based) via script:

 Force logout of all web sessions by clearing local browser data via command line (example for Chrome)
Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Network\Cookies" | Remove-Item -Force

5. eBPF Rootkit Detection and Remediation

If the malware executed with root privileges, it deployed an eBPF rootkit. This rootkit is not used to gain root access; rather, it hides the malware’s processes, network connections, and files from standard system tools, making detection exceptionally difficult. The rootkit works by creating pinned BPF maps that filter system call outputs.

Step‑by‑step guide to detecting and removing the rootkit:

  1. Check for BPF maps in the virtual filesystem: 
    sudo ls -la /sys/fs/bpf/ | grep -E "(hidden_pids|hidden_names|hidden_inodes)"

    The presence of these specific maps is a strong indicator of the rootkit.

  2. Hunt for hidden processes: Use a BPF tool to list all processes, bypassing the rootkit’s hooks. 
    sudo bpftool prog list
sudo bpftool map list
  3. Remediation (Definitive): If the rootkit is confirmed, reinstall the operating system from trusted media. There is no reliable way to clean a system once a kernel-level rootkit has been loaded.

6. Hardening Builds with Sandboxing and Manual Reviews

The best mitigation is to eliminate the root cause: blind trust in build scripts. Implement mandatory manual review of `PKGBUILD` files and use sandboxing to constrain the build process. This approach treats every `PKGBUILD` as a potential threat.

Step‑by‑step guide to secure AUR usage:

  1. Always read the `PKGBUILD` first: Before running makepkg, inspect it for any external downloads (curl, wget), package manager calls (npm, pip, gem), or suspicious `install` commands.
  2. Use `makepkg` in a sandbox: Use `systemd-1spawn` or `firejail` to run the build in an isolated container, preventing any malware from accessing your real user data. 
    Example using firejail to build a package
firejail --1et=none --private=~/temp-build makepkg -si
  3. Block network access for builds: Disable network connectivity during the build process for any package that shouldn’t require internet access.

What Undercode Say:

  • The attack exploited a foundational weakness in the open-source trust model, proving that “orphaned” projects are high-value targets for supply chain compromise.
  • The use of an eBPF rootkit signals a significant escalation in Linux malware sophistication, moving beyond simple user-land stealers to kernel-level stealth.
  • Proactive credential rotation and host reimaging are the only safe remediation steps once the payload has executed; patching alone is insufficient.

Prediction:

  • -1 This attack will lead to a surge in similar “orphan adoption” campaigns across other Linux distributions and language-specific registries (PyPI, npm, RubyGems), as attackers realize the high return on investment.
  • +1 In response, we will likely see the adoption of mandatory two-person review and time-based activation delays for adopting orphaned packages in critical repositories, adding friction but enhancing security.
  • -1 For the foreseeable future, Developer workstations will remain a primary vector for enterprise compromise, forcing a shift toward immutable, ephemeral build environments and hardware-based secrets storage.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: