Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

More than 400 AUR packages are now distributing the atomic-lockfile Linux rootkit and infostealer, putting credentials and access tokens at risk across Arch Linux developer environments. The malware is arriving through compromised package install paths, including preinstall and post-install scripts, and can support eBPF rootkit stealth features. The payload targets developer secrets such as GitHub, SSH, Vault, and chat-app data.

Related Happenings

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: The **deps** Rust stealer is being delivered through hijacked **Arch User Repository (AUR)** build scripts, putting **developer secrets**, **SSH keys**, and **session tokens** at...

Open Happening

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

How related: Supply-chain management company Sonatype also published a report on a campaign targeting the AUR repository and delivering the malicious atomic-lockfile npm package, but using a different method.

About this happening: An active **AUR package-hijacking campaign** is distributing **atomic-lockfile** through **more than 400** Arch User Repository packages, turning the **AUR** build path into a sup...

Open Happening

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Open Happening

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Open Happening

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Open Happening

Timeline

  1. 12.06.2026 20:03 2 articles · 2h ago

    AUR packages distribute atomic-lockfile rootkit and infostealer

    Initial Disclosure

    More than 400 packages in the Arch User Repository are distributing a Linux rootkit and infostealer through spoofed maintainer activity and malicious install scripts. The compromised packages download and execute atomic-lockfile, and one sample includes a Linux ELF payload named deps with optional root-only eBPF rootkit capabilities that can hide local processes while stealing developer credentials, access tokens, browser and Electron data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, and shell histories.

    Show sources
    Open in new tab