The Arch Linux User Repository (AUR) suffered a major supply-chain compromise affecting more than 400 packages, which were found to contain a Linux ELF malware sample named “deps”. This malware functions as a credential stealer with optional root-only eBPF rootkit capabilities, specifically designed for developer workstations and build environments. It was delivered via a malicious npm package masquerading as atomic-lockfile version 1.4.2, which used a preinstall lifecycle hook to execute the payload automatically during installation.
Static reverse engineering by ioctl.fail revealed that the malware installs persistence through systemd services, enforces single-instance execution, and targets a vast array of sensitive data. This includes Chromium-family browser profiles and cookies, Electron apps like Slack, Microsoft Teams, and Discord, as well as GitHub, npm, OpenAI tokens, SSH keys, Docker/Podman credentials, VPN profiles, Vault tokens, and shell histories. Stolen information is uploaded to temp.sh and exfiltrated to a Tor onion C2 endpoint via a local loopback/SOCKS transport, which can be hidden using eBPF if available.
The attack path involved modifying AUR build steps to pull in the malicious npm package containing the stripped Rust-based ELF binary. No dynamic execution was performed during analysis; instead, function names were assigned based on decompiled behavior. The malware can also include a downloader/stager path and queries various APIs with stolen tokens for enrichment.
This incident underscores the growing threat of infostealers that prioritize pivoting to higher-value targets via compromised developer credentials rather than the initial victim. Developers are strongly advised to exercise extreme caution with AUR packages and third-party dependencies to avoid such infections.