IFIN - The Independent Federated Intelligence NetworkJun 12

400+ Arch User Repository packages have been compromised in a massive, sophisticated supply chain attack, including a rootkit installation.

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577

#ThreatIntel #ThreatIntelligence #IFIN

400+ AUR Packages Compromised with Infostealer and Rootkit

Last Updated: 2026-06-12T04:22:42Z (UTC) What’s Happening It appears an AUR package maintainer’s account (arojas) was compromised. The maintainer’s account had write access to over 400 package repos. The compromise was reported and other AUR maintainers have been working to remove the infected packages. The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload. Here’s an example of the change: This blog has a deep d...

IFIN
Show threadRobin CandauJun 12

@ifin @mttaggart The attack was orchestrated by bots accounts and automated scripts, including the impersonation of the git identity of the last committer as an obfuscation method. "arojas" is a trusted Arch Linux developer and he's *not* behind these attacks, he just got his git identity being impersonated in the process, just like a lot of other people.

Could you please remove the wrong and misleading mention of the "arojas" username as being the author behind these attacks please?
Thanks! 🙏

Show threadIFIN - The Independent Federated Intelligence NetworkJun 12
@Antiz
Done. Thank you for the clarification.
@mttaggart
Show threadRobin Candau
@ifin @mttaggart You're welcome, thanks for your quick actions! 🤗
Jun 12 at 12:07pmWeb