TechOptima Ignite
TechOptima Solutions (636) 777-7702

ArchLinux User Repository Compromised with Rootkits and Infostealers

June 16, 2026

The Arch Linux Repository (AUR) was found to have been compromised with more than 400 instances of Linux rootkit and infostealer malware. The infostealer targets credentials and access tokens. Last Thursday, the site “ioctl.fail” posted their analysis of the infiltration campaign. This sample was recovered from a supply-chain compromise involving an Arch User Repository (AUR) package build flow.

The Arch Linux User Repository (AUR) suffered a major supply-chain compromise affecting more than 400 packages, which were found to contain a Linux ELF malware sample named “deps”. This malware functions as a credential stealer with optional root-only eBPF rootkit capabilities, specifically designed for developer workstations and build environments. It was delivered via a malicious npm package masquerading as atomic-lockfile version 1.4.2, which used a preinstall lifecycle hook to execute the payload automatically during installation.

Static reverse engineering by ioctl.fail revealed that the malware installs persistence through systemd services, enforces single-instance execution, and targets a vast array of sensitive data. This includes Chromium-family browser profiles and cookies, Electron apps like Slack, Microsoft Teams, and Discord, as well as GitHub, npm, OpenAI tokens, SSH keys, Docker/Podman credentials, VPN profiles, Vault tokens, and shell histories. Stolen information is uploaded to temp.sh and exfiltrated to a Tor onion C2 endpoint via a local loopback/SOCKS transport, which can be hidden using eBPF if available.

The attack path involved modifying AUR build steps to pull in the malicious npm package containing the stripped Rust-based ELF binary. No dynamic execution was performed during analysis; instead, function names were assigned based on decompiled behavior. The malware can also include a downloader/stager path and queries various APIs with stolen tokens for enrichment.

This incident underscores the growing threat of infostealers that prioritize pivoting to higher-value targets via compromised developer credentials rather than the initial victim. Developers are strongly advised to exercise extreme caution with AUR packages and third-party dependencies to avoid such infections.

Tags: SECURITY | ARCHLINUX | MALWARE | SUPPLY CHAIN

Source: sn-1083-notes.pdf

← Back to Blog