AUR package-hijacking campaign delivering atomic-lockfile
Campaign
Summary
Hide ▲
Show ▼
An active AUR package-hijacking campaign is distributing atomic-lockfile through more than 400 Arch User Repository packages, turning the AUR build path into a supply-chain route for credential theft and optional eBPF rootkit deployment. Attackers used orphaned packages, spoofed maintainer metadata, and altered PKGBUILD or .install scripts to run npm install atomic-lockfile during builds; confirmed examples include alvr and premake-git. The payload is a Rust stealer that targets developer secrets such as browser sessions, SSH keys, GitHub and npm tokens, HashiCorp Vault tokens, and desktop app session data, and it can also hide itself when it gains root. Users who installed or updated AUR packages on or after June 11 were told to check against known-bad package lists, rotate exposed credentials, and treat affected hosts as compromised if the package ran.
Related Happenings
Deps credential stealer in hijacked Arch AUR builds
Malware Activity
H score3
First: 12.06.2026 22:24
Last: 12.06.2026 22:24
Sources 1
How related:
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.
About this happening:
The **deps** Rust stealer is being delivered through hijacked **Arch User Repository (AUR)** build scripts, putting **developer secrets**, **SSH keys**, and **session tokens** at...
Deps credential stealer in hijacked Arch AUR builds
Malware ActivityHow related: Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.
About this happening: The **deps** Rust stealer is being delivered through hijacked **Arch User Repository (AUR)** build scripts, putting **developer secrets**, **SSH keys**, and **session tokens** at...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score30
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
How related:
More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.
About this happening:
More than **400 AUR packages** are now distributing the **atomic-lockfile** **Linux rootkit and infostealer**, putting **credentials** and **access tokens** at risk across **Arch...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityHow related: More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.
About this happening: More than **400 AUR packages** are now distributing the **atomic-lockfile** **Linux rootkit and infostealer**, putting **credentials** and **access tokens** at risk across **Arch...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Timeline
-
12.06.2026 20:03 3 articles · 2h ago
AUR package-hijacking campaign pushes atomic-lockfile rootkit and infostealer
Initial DisclosureIndependent Federated Intelligence Network (IFIN) and Sonatype describe an active supply-chain compromise in the Arch User Repository (AUR) where a spoofed maintainer and hijacked orphaned packages use preinstall and post-install scripts to invoke npm and install atomic-lockfile, a Linux rootkit and infostealer that targets developer credentials, access tokens, and local secrets; one sample includes a Linux ELF payload named deps with optional root-only eBPF rootkit capabilities, and Arch Linux maintainers are removing malicious commits while urging users to review affected packages, check indicators of compromise, rotate credentials, and reinstall Arch from scratch if compromise is found.
Show sources
- Over 400 Arch Linux packages compromised to push rootkit, infostealer — www.bleepingcomputer.com — 12.06.2026 20:03
- Over 400 Arch Linux packages compromised to push rootkit, infostealer — www.bleepingcomputer.com — 12.06.2026 20:03
- 400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer — thehackernews.com — 12.06.2026 22:24