More than 1,500 Arch User Repository packages infected with malware including rootkit

A new malicious package maintainer account infected more than 1,500 packages in the Arch User Repository (AUR), the community repository for Arch Linux users, after initially compromising over 400 packages, researchers said on June 12 ^{[1, 2, 3, 4]}.

The attack began on June 11, when researchers discovered that a new maintainer account had injected malicious preinstall scripts into AUR packages. These scripts installed the npm package atomic-lockfile, which contains an infostealer and an eBPF rootkit to stealthily monitor and control infected systems ^{[1, 2, 3]}.

Initial reports estimated around 408 packages were affected, mostly user-maintained orphaned or niche packages rather than official Arch Linux ones ^{[1, 2, 3]}. However, ongoing investigations on June 12 raised the number of compromised packages to more than 1,500 ^[4].

Arch Linux maintainers have been actively removing the malicious packages and banning the compromised accounts linked to the attack ^{[2, 4]}. The npm package atomic-lockfile is maintained by a user named herbsobering and is associated with reverse shell and proxy tool containers, amplifying the infection's capabilities ^[1].

Users are urged to check their installed AUR packages using community scripts designed to detect the malware. Due to the presence of a rootkit, experts recommend credential rotation and considering a complete system reinstall to ensure security ^[1].

The malware campaign marks a significant attack on the Arch Linux community repository, which is widely used by Linux enthusiasts and professionals. The next steps involve continued cleanup of infected packages and improving safeguards for package maintainers and users.