Show threadTeddy / Domingo (🇨🇵/🇬🇧)5h ago

En complément :

Campagne Atomic #arch : 1 500 paquets AUR détournés avec un #infostealer et un #rootkit eBPF
https://cryptolab.re/posts/2026/atomic-arch-aur-attack/
#linux.

cc @9x0rg

Campagne Atomic Arch : 1 500 paquets AUR détournés avec un infostealer et un rootkit eBPF

Analyse de l'attaque Atomic Arch contre l'AUR d'Arch Linux : adoption massive de paquets orphelins, injection de dépendances npm malveillantes, credential stealer en Rust et rootkit eBPF. Marche à suivre pour vérifier son exposition.

Cryptolab
Alexey Skobkin19h ago

Господа арчеводы (и арчебейздоводы на Manjaro, CachyOS, EdeavourOS, etc), вам там подвезли добра в AUR:

https://ioctl.fail/preliminary-analysis-of-aur-malware/

TL;DR: в ~400+ пакетов (о которых известно на данный момент) в AUR добавили малварь, которая ворует креды и имеет встроенный руткит.
Если недавно (несколько дней) обновлялись из AUR не вычитывая сорцы пакетов - стоит напрячься.

Вот тут есть список пакетов, о которых известно:
https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

@rf
#Linux #Arch #AUR #security #malware #rootkit #news

Preliminary analysis of AUR malware

this report was very quickly thrown together by Codex, but it should be enough to at least convey any important information. Malware Analysis Report: deps Scope This report covers static reverse engineering of the Linux ELF sample named deps and static review of the recovered npm package under "atomic-lockfile". The

ioctl.fail
The New Oil20h ago

Over 400 #ArchLinux packages compromised to push #rootkit, #infostealer

https://www.bleepingcomputer.com/news/security/over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer/

#Arch #Linux #FOSS #cybersecurity #malware

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.

BleepingComputer
Analyst2072d ago

Malware Exploits Arch Linux Packages to Spread Rootkit, Infostealer

Over 400 Arch Linux packages were compromised in a shocking discovery, distributing a sneaky Linux rootkit and infostealer to unsuspecting users through the Arch User Repository (AUR). A cleverly spoofed maintainer account was used to modify the packages and download malicious code.

https://osintsights.com/malware-exploits-arch-linux-packages-to-spread-rootkit-infostealer?utm_source=mastodon&utm_medium=social

#LinuxMalware #ArchLinux #Rootkit #Infostealer #Aur

Malware Exploits Arch Linux Packages to Spread Rootkit, Infostealer

Learn how malware exploits Arch Linux packages to spread rootkits and infostealers, and take action now to protect your system from these threats effectively today.

OSINTSights
UmWerker 🕊 ☮️ 🤘3d ago

Erst vor zwei Tagen #Manuskript installiert, war darin bereits ein Übeltäter versteckt. Das #bash-Skript legte dies offen. Eine erste Überprüfung lies nicht erkennen, dass die eigentliche #Backdoor schon nachgeladen wurde und aktiv ist. Ich wollte nun mit #ClamAV sicher gehen, doch die Installation ist mir viel zu kompliziert. Daran scheitere ich kläglich.

Schon Schade auf Sicherheit zu verzichten, weil deren Nutzung maximal erschwert wird.

#Arch #Linux #ArchLinux #AUR #Rootkit

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577

400+ AUR Packages Compromised with Infostealer and Rootkit

Last Updated: 2026-06-12T04:22:42Z (UTC) What’s Happening It appears an AUR package maintainer’s account (arojas) was compromised. The maintainer’s account had write access to over 400 package repos. The compromise was reported and other AUR maintainers have been working to remove the infected packages. The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload. Here’s an example of the change: This blog has a deep d...

IFIN
Hacker News3d ago

AUR Packages Compromised with Infostealer and Rootkit

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577

#HackerNews #AUR #Packages #Compromised #Infostealer #Rootkit #Cybersecurity #Vulnerabilities

400+ AUR Packages Compromised with Infostealer and Rootkit

Last Updated: 2026-06-12T04:22:42Z (UTC) What’s Happening It appears an AUR package maintainer’s account (arojas) was compromised. The maintainer’s account had write access to over 400 package repos. The compromise was reported and other AUR maintainers have been working to remove the infected packages. The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload. Here’s an example of the change: This blog has a deep d...

IFIN
OTX BotMay 18

OrBit Linux Rootkit Steals SSH and Sudo Credentials

Pulse ID: 6a0b237476e799a5e7a48b8e
Pulse Link: https://otx.alienvault.com/pulse/6a0b237476e799a5e7a48b8e
Pulse Author: cryptocti
Created: 2026-05-18 14:34:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Linux #OTX #OpenThreatExchange #Rootkit #SSH #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
heise online EnglishMay 7

QLNX: New Remote Access Trojan targets Linux developers

Quasar Linux (QLNX) is not an operating system, but a supply chain attack tool that is difficult to detect and remove.

https://www.heise.de/en/news/QLNX-New-Remote-Access-Trojan-targets-Linux-developers-11286275.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#DevOps #IT #Linux #Malware #Rootkit #Security #Trojaner #news

QLNX: New Remote Access Trojan targets Linux developers

Quasar Linux (QLNX) is not an operating system, but a supply chain attack tool that is difficult to detect and remove.

heise online
heise DeveloperMay 7

QLNX: Neuer Remote-Access-Trojaner zielt auf Linux-Entwickler

Hinter Quasar Linux (QLNX) steckt kein Betriebssystem, sondern ein Supply-Chain-Angriffstool, das sich nur schwer erkennen und entfernen lässt.

https://www.heise.de/news/QLNX-Neuer-Remote-Access-Trojaner-zielt-auf-Linux-Entwickler-11285654.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#DevOps #IT #Linux #Malware #Rootkit #Security #Trojaner #news

QLNX: Neuer Remote-Access-Trojaner zielt auf Linux-Entwickler

Hinter Quasar Linux (QLNX) steckt kein Betriebssystem, sondern ein Supply-Chain-Angriffstool, das sich nur schwer erkennen und entfernen lässt.

heise online
Show threadLaura Lis ScottApr 16
@buffyleigh @jepyang Those were the days, when Sony tried slipping their #rootkit into their CDs and everybody was like FUCK NO! And they had to back off bc nobody was buying that shit