Over 400 Arch Linux AUR Packages Hijacked: Rust Infostealer and eBPF Rootkit Supply‑Chain Attack Analysis

1. Event Overview

On June 11, 2026 the threat actor began a large‑scale takeover of Arch Linux AUR packages. Initial detection by Sonatype identified over 20 compromised packages; community analysis of AUR git mirrors expanded the count to roughly 408 and still growing. A second wave used bun install js-digest to deliver an independent malicious ELF file. Packages such as alvr and premake-git were among the affected ones. The attacker exploited the AUR model that allows users to "adopt" long‑abandoned (orphan) packages, inheriting their name, history and community trust.

2. Malicious Software Technical Analysis

2.1 Rust credential‑stealing trojan payload

Independent researcher Whanos reverse‑engineered the trojan and confirmed it targets developer workstations and build systems. It steals the following credentials:

Browser data: cookies, tokens and local storage from Chromium‑based browsers (Chrome, Edge, Brave) and Electron app sessions (Slack, Discord, Microsoft Teams).

Development tools: GitHub, npm and HashiCorp Vault tokens, as well as OpenAI/ChatGPT bearer tokens and account metadata.

System credentials: SSH keys, known_hosts, shell history, Docker and Podman credentials, and VPN configuration files.

Exfiltration is performed via HTTP to temp.sh; command‑and‑control traffic uses Tor onion services routed through a local loopback proxy.

2.2 Persistence mechanisms

The trojan implements two persistence layers:

Root‑level path: copies itself to /var/lib/ and writes a systemd unit under /etc/systemd/system/ with Restart=always.

User‑level path: uses the user’s home directory and a user‑systemd unit under ~/.config/systemd/user/.

2.3 Optional eBPF rootkit module

The eBPF component activates only when the binary already runs with root privileges. Its capabilities include:

Using BPF maps ( hidden_pids, hidden_names, hidden_inodes) to hide its processes, process names and network socket inodes.

Anti‑debugging measures that block debugger attachment.

Because the rootkit operates at the kernel BPF layer, simply uninstalling the AUR package does not guarantee a clean system.

A second‑stage file linked to monero‑wallet‑gui was also observed, suggesting a possible cryptocurrency‑mining payload that has not yet been fully analyzed.

3. Blue‑Team Detection and Response Guide

3.1 Emergency investigation steps (MITRE ATT&CK T1195, T1552, T1055)

Step 1 – Identify affected hosts

If a system built or installed any AUR package on or after June 11, 2026, run the following checks:

# Check for malicious npm package
grep -r "atomic-lockfile" ~/.cache/yay/*/ 2>/dev/null
grep -r "js-digest" ~/.cache/yay/*/ 2>/dev/null

# Search build logs for malicious calls
grep "npm install atomic-lockfile" /var/log/yay.log 2>/dev/null
grep "bun install js-digest" /var/log/yay.log 2>/dev/null

# Compare locally installed AUR packages with known malicious list
pacman -Qm > foreign_packages.txt
# Cross‑reference foreign_packages.txt with community‑maintained list

Step 2 – Detect credential compromise indicators

Assuming a compromised host, rotate all of the following credentials immediately:

Browser sessions (Chrome, Edge, Brave, etc.)

SSH keys ( ~/.ssh/)

GitHub and npm tokens

Slack, Discord, Teams sessions

HashiCorp Vault tokens

Docker and Podman credentials

VPN configuration files

OpenAI/ChatGPT API keys

Step 3 – Detect persistence and rootkit artifacts

# Check for unknown systemd services (system‑level)
systemctl list-unit-files | grep -v "^systemd\|^dbus"
ls -la /etc/systemd/system/ | grep -v "^d"

# Check for unknown user‑level services
ls -la ~/.config/systemd/user/

# Look for suspicious files under /var/lib/ newer than last pacman log
find /var/lib/ -type f -newer /var/log/pacman.log 2>/dev/null

# Detect eBPF rootkit map names
ls /sys/fs/bpf/ | grep -E "hidden_pids|hidden_names|hidden_inodes"

# Detect Tor C2 traffic (common ports 9050‑9052)
ss -tunap | grep -E "9050|9051|9052"
netstat -tunap | grep -E "temp\.sh"

3.2 Malicious sample indicators

SHA‑256 of the primary payload:

6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b

Full indicator set, including Tor onion addresses, is available in Whanos’s analysis report (ioctl.fail).

3.3 Recovery recommendations

Disconnect from network and reinstall from trusted media – the only reliable way to eradicate a rootkit that has penetrated the kernel BPF layer.

Regenerate all SSH key pairs using ssh-keygen -t ed25519 -C "Regenerated on 2026-06-15".

Revoke and recreate all external API tokens (GitHub PATs, npm tokens, etc.).

3.4 Prevention measures

Read every PKGBUILD before building an AUR package; never build packages you do not understand.

Be wary of orphaned packages that are suddenly adopted after long periods of inactivity.

Monitor build logs for unexpected npm or bun invocations; AUR builds should not introduce undeclared npm dependencies.

Use the read‑only or audit mode of AUR helpers (e.g., yay, paru) to inspect PKGBUILD without executing it.

4. Conclusion

The "Atomic Arch" supply‑chain attack (Sonatype tracking ID Sonatype‑2026‑003775, CVSS 8.7) exposes a fundamental weakness: the AUR trust model relies on package name and history while ignoring the current maintainer’s identity. By adopting orphaned packages, the attacker inherited extensive historical trust without resistance.

For defenders, the key takeaway is that supply‑chain security must extend beyond official upstream repositories to community‑maintained package ecosystems. Pre‑build code review of PKGBUILD and .install hooks, combined with post‑build behavioral monitoring, constitute essential security gates.

References

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit – The Hacker News (2026‑06‑15)

Preliminary Analysis of AUR Malware – Whanos

Atomic Arch Campaign – Sonatype

AUR General Mailing List Thread – Arch Linux