More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.
A report from the open-source intelligence community Independent Federated Intelligence Network (IFIN) notes that a new maintainer is spoofing a trusted publisher on the AUR platform to push infected packages.
The Arch Linux distribution is popular among power users and developers, using the AUR catalog to provide the latest versions for installed software, drivers, and the kernel.
AUR is a community-maintained repository for the Arch distribution that contains package build scripts (PKGBUILDs) with instructions for downloading, compiling, and installing software not available in Arch’s official repositories.
AUR is considered essential for any Arch-based distribution because it contains proprietary applications, beta/nightly versions of open-source software, niche utilities, and older versions of packages that retain functionality which may have been removed in later releases.
However, it is not a vetted space, and threat actors can use it to push malware through packages that change ownership without anyone noticing.
According to IFIN member Michael Taggart, the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.
Independent security researcher Whanos notes that one sample of the atomic-lockfile included a Linux ELF payload named deps, which was a “credential stealer with optional root-only eBPF [extended Berkeley Packet Filter] rootkit capabilities.”
“It is designed for developer workstations and build environments. It targets browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets,” Whanos says in the report.
With eBPF technology present, the malware can run inside the kernel with elevated privileges and hide local processes.
Supply-chain management company Sonatype also published a report on a campaign targeting the AUR repository and delivering the malicious atomic-lockfile npm package, but using a different method.
Sonatype researchers say that the threat actor hijacked at least 20 orphaned packages on AUR and pushed atomic-lockfile by modifying the PKGBUILD file – a Bash script with the build information needed by Arch Linux packages.
According to the report, the attacker added a post-install script to invoke npm and retrieve the malicious package.
“The modified packages add a post-install script that invokes npm and installs atomic-lockfile during package installation,” Sonatype says.
However, analysis showed that the npm package installed a Linux executable with references to an eBPF rootkit that could hide processes, files, and network interfaces.
Additionally, the Linux binary indicates that it has infostealer functionality, targeting the following types of sensitive information:
- GitHub credentials
- SSH artifacts
- HashiCorp Vault tokens
- Browser cookie databases
- Slack data
- Discord data
- Microsoft Teams data
- Telegram data
Sonatype determined that the binary can archive data, handle multi-part files, and perform HTTP uploads, so the functionality for a typical exfiltration mechanism is present.
AUR maintainers are working to identify and remove all malicious commits, and to ban the accounts pushing them.
In a message to the community, Arch Linux package maintainer Jonathan Grotelüschen urged users to report any malicious package they find.
As a general rule, it’s recommended to only trust projects with frequent updates and an active community around them.
Arch users are advised to review the list of affected packages and look for the indicators of compromise provided in the report from Whanos.
Michael Taggart also pointed to a script that checks for the atomic-lockfile malware on the system.
If compromised packages are found, users should rotate all credentials and consider reinstalling Arch from scratch, since a rootkit may survive normal cleaning efforts.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
