Mastodawn

Attackers Hijack AUR Packages to Deliver Rootkit and InfoStealer Malware

Pulse ID: 6a37ef60c2e6c18bc1097c48
Pulse Link: https://otx.alienvault.com/pulse/6a37ef60c2e6c18bc1097c48
Pulse Author: cryptocti
Created: 2026-06-21 14:04:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Rootkit #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Ti Consiglio Tech 3d ago

Il tuo PC è stato infettato da un virus? Ecco come rimuoverlo gratis con i migliori strumenti gratuiti

PC lento o con comportamenti strani? Potrebbe avere un virus. Scopri come rimuoverlo gratis con Sophos, Malwarebytes e Kaspersky KVRT.

https://ticonsigliotech.com/2026/06/19/il-tuo-pc-e-stato-infettato-da-un-virus-ecco-come-rimuoverlo-gratis-con-i-migliori-strumenti-gratuiti/

Hilko Bengen 4d ago

Don't be afraid of the #rootkit bit of the malicious bonus material that shipped with some #ArchLinux #AUR packages recently , it is not really hard to detect in a generic way.

In the past few months I had been doing some research on #Linux #rootkits and figured out some techniques I hadn't seen implemented before. Since existing tools seemed inadequate for hunting for rootkits in large, diverse environments, I wrote rk-expose which compiles to a smallish (<1MB) static binary. It comes with lots of well-known and some novel rootkit detection techniques – and detects the malware distributed with the "atomic arch" campaign using its "ps-diff" command out of the box.

rk-expose

Expose Linux rootkits

Codeberg.org

Show thread

Teddy / Domingo (🇨🇵/🇬🇧)Jun 15

En complément :

Campagne Atomic #arch : 1 500 paquets AUR détournés avec un #infostealer et un #rootkit eBPF
https://cryptolab.re/posts/2026/atomic-arch-aur-attack/
#linux.

cc @9x0rg

Campagne Atomic Arch : 1 500 paquets AUR détournés avec un infostealer et un rootkit eBPF

Analyse de l'attaque Atomic Arch contre l'AUR d'Arch Linux : adoption massive de paquets orphelins, injection de dépendances npm malveillantes, credential stealer en Rust et rootkit eBPF. Marche à suivre pour vérifier son exposition.

Cryptolab

Alexey Skobkin Jun 14

Господа арчеводы (и арчебейздоводы на Manjaro, CachyOS, EdeavourOS, etc), вам там подвезли добра в AUR:

https://ioctl.fail/preliminary-analysis-of-aur-malware/

TL;DR: в ~400+ пакетов (о которых известно на данный момент) в AUR добавили малварь, которая ворует креды и имеет встроенный руткит.
Если недавно (несколько дней) обновлялись из AUR не вычитывая сорцы пакетов - стоит напрячься.

Вот тут есть список пакетов, о которых известно:
https://lists.archlinux.org/archives/list/[email protected]/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

@rf
#Linux #Arch #AUR #security #malware #rootkit #news

Preliminary analysis of AUR malware

this report was very quickly thrown together by Codex, but it should be enough to at least convey any important information. Malware Analysis Report: deps Scope This report covers static reverse engineering of the Linux ELF sample named deps and static review of the recovered npm package under "atomic-lockfile". The

ioctl.fail

The New Oil Jun 14

Over 400 #ArchLinux packages compromised to push #rootkit, #infostealer

https://www.bleepingcomputer.com/news/security/over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer/

#Arch #Linux #FOSS #cybersecurity #malware

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.

BleepingComputer

Analyst207 Jun 12

Malware Exploits Arch Linux Packages to Spread Rootkit, Infostealer

Over 400 Arch Linux packages were compromised in a shocking discovery, distributing a sneaky Linux rootkit and infostealer to unsuspecting users through the Arch User Repository (AUR). A cleverly spoofed maintainer account was used to modify the packages and download malicious code.

https://osintsights.com/malware-exploits-arch-linux-packages-to-spread-rootkit-infostealer?utm_source=mastodon&utm_medium=social

#LinuxMalware #ArchLinux #Rootkit #Infostealer #Aur

Malware Exploits Arch Linux Packages to Spread Rootkit, Infostealer

Learn how malware exploits Arch Linux packages to spread rootkits and infostealers, and take action now to protect your system from these threats effectively today.

OSINTSights

UmWerker 🕊 ☮️ 🤘Jun 12

Erst vor zwei Tagen #Manuskript installiert, war darin bereits ein Übeltäter versteckt. Das #bash-Skript legte dies offen. Eine erste Überprüfung lies nicht erkennen, dass die eigentliche #Backdoor schon nachgeladen wurde und aktiv ist. Ich wollte nun mit #ClamAV sicher gehen, doch die Installation ist mir viel zu kompliziert. Daran scheitere ich kläglich.

Schon Schade auf Sicherheit zu verzichten, weil deren Nutzung maximal erschwert wird.

#Arch #Linux #ArchLinux #AUR #Rootkit

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577

400+ AUR Packages Compromised with Infostealer and Rootkit

Last Updated: 2026-06-12T04:22:42Z (UTC) What’s Happening It appears an AUR package maintainer’s account (arojas) was compromised. The maintainer’s account had write access to over 400 package repos. The compromise was reported and other AUR maintainers have been working to remove the infected packages. The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload. Here’s an example of the change: This blog has a deep d...

IFIN