X-twitter Facebook-f Pinterest-p
X-twitter Facebook-f Pinterest-p

Arch Linux AUR hit by malware targeting developer secrets


One of the largest open-source package repositories just spent a weekend cleaning up after a malware campaign that did not break into anything. It did not need to.

Attackers seized control of more than 1,500 packages in the Arch User Repository, or AUR, the community-run software collection that sits alongside Arch Linux’s official repositories, and quietly rewrote their build instructions to install a credential stealer on any machine that compiled them. By Monday, the project had taken the unusual step of freezing new account registration while it cleaned up.

The number kept moving. It started at around 400 packages, climbed past 1,500 over the weekend, and one tracking list named 1,579, which Arch itself described as “many, but not all” of those hit. Crucially, Arch’s core distribution and its official repos were never affected.

An attack on trust, not a flaw

What makes this notable is how little hacking was involved. The AUR is user-submitted and explicitly unsupported: Arch tells people to read a package’s build file before installing it, every time. There is no vetting, by design.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The attackers exploited exactly that. They adopted “orphaned” packages, ones whose maintainers had walked away, inheriting the names, histories, and trust those packages had built up. Security firm Sonatype, which dubbed the campaign “Atomic Arch”, found them spoofing git commit data so the changes looked like they came from a long-standing maintainer.

That account, an Arch Trusted User later confirmed, was never actually compromised.

Only the build recipe changed. Edited scripts pulled in a malicious npm package, atomic-lockfile, whose install hook ran a hidden binary the moment the package was built. The software looked exactly like what users meant to install. It is the same logic behind the Miasma worm that hit 73 Microsoft GitHub repositories: compromise the trust, not the code.

A trap built for developers

The payload, a Rust binary reverse-engineered by the researcher Whanos, is built to rob developers specifically, which is the point. The people who build AUR packages are exactly the people whose machines hold the keys to everything else.

It harvests browser cookies and session tokens, logins from Slack, Discord and Microsoft Teams, GitHub and npm tokens, HashiCorp Vault and OpenAI credentials, SSH keys, Docker logins, and VPN profiles, then ships them out and phones home over Tor.

Those are the exact credentials used to seed the next supply-chain attack, the same pattern as last year’s poisoned VS Code extension that cost GitHub thousands of repos.

Early coverage played up an eBPF “rootkit”, and that part is worth tempering. As The Hacker News notes, it is optional, only loads if the malware already has root, and is not used to gain access. When it does run it hides the malware and blocks debuggers, which matters for one reason: if a poisoned package ran with root on your machine, removing it is not enough. You reinstall.

The cost of an open door

None of this is new for Arch. A near-identical adoption trick hit an abandoned PDF-viewer package back in 2018, and in 2025 the project weathered both a fortnight-long denial-of-service attack and a set of compromised browser packages carrying a remote-access trojan.

It is also part of a broader 2026 shift. Attackers are increasingly hijacking orphaned, trusted projects rather than typosquatting new ones, a tactic that now threatens the AI coding agents being pointed at unfamiliar repositories too. With roughly 13,000 orphaned packages still sitting in the AUR, the attack surface is enormous.

Arch’s maintainers are resetting the malicious commits and banning the accounts, and the advice to users is unchanged: read the build script before you build, and treat any recently adopted or suddenly active package with suspicion.

The harder problem is structural. A repository that trusts a package’s name and history over whoever is maintaining it today has no patch for that, only a decision about how much longer the open door stays open.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

The Lexus sedan that beats the E-Class on ownership costs

Xsolis Data Breach Impacts 1.4 Million People

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

Welcome to the Future of WordPress with Gutenberg – Small Biz Talks

Xsolis Data Breach Impacts 1.4 Million People

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

GTA 6 may be far away, so Rockstar gave GTA 5 a fresh coat of paint

Xsolis Data Breach Impacts 1.4 Million People

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

Recent Reviews

Welcome to the Future of WordPress with Gutenberg – Small Biz Talks


Malesuada fames ac turpis egestas integer. Quam nulla porttitor massa id neque aliquam vestibulum morbi blandit. Commodo sed egestas egestas fringilla phasellus faucibus scelerisque. Turpis massa tincidunt dui ut ornare lectus sit amet. Ut consequat semper viverra nam libero justo laoreet sit. Ultrices dui sapien eget mi. At augue eget arcu dictum varius duis at consectetur lorem. Magnis dis parturient montes nascetur ridiculus.

Pharetra pharetra massa massa ultricies mi quis hendrerit. Odio ut sem nulla pharetra diam sit amet. Magnis dis parturient montes nascetur ridiculus. Ac turpis egestas integer eget aliquet nibh praesent tristique. Quis vel eros donec ac odio tempor orci.

Only a quarter of young adults are financially literate. You don’t want to overwhelm them with terrible advice.

Michael Clarck

Eos modus intellegam id. Quo in tollit consectetuer, duo tollit assueverit te. Tale debet et eos. Ei recusabo expetendis per, falli nonumes in vix. Per no latine appellantur, te has amet sint nominavi, albucius suscipit voluptatum has at.

Has epicuri accusamus intellegebat ad, no qui dicat laoreet scribentur, cum natum salutatus cu. Ne quem suas recusabo nam. Cum at dicunt oblique.

Discere veritus detraxit pri ut, sea ei dicunt theophrastus. Eum harum animal debitis cu, viderer vituperatoribus mei ea. Id sed illud facete singulis, reque dolore mediocrem vim ei. Has epicuri accusamus intellegebat ad, no qui dicat laoreet scribentur, cum natum salutatus cu. Ne quem suas recusabo nam. Cum at dicunt oblique. Discere veritus detraxit pri ut, sea ei dicunt theophrastus. Eum harum animal debitis cu, viderer vituperatoribus mei ea. Id sed illud facete singulis, reque dolore mediocrem vim ei.

Gallery Block

Facilisi morbi tempus iaculis urna id volutpat lacus. Magnis dis parturient montes nascetur ridiculus mus mauris vitae ultricies.

Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper.

List Block

  • Magna sit amet purus gravida quis
  • Sapien eget mi proin sed libero
  • Commodo odio aenean sed
  • Consectetur a erat nam at lectus
  • Diam volutpat commodo
  • Scelerisque varius morbi amet
  • Non enim praesent elementum
  1. Commodo odio aenean sed
  2. Nulla facilisi etiam dignissim
  3. Aenean et tortor at risus
  4. Cursus turpis massa tincidunt dui
  5. Dolor morbi non arcu risus
  6. Mi eget mauris pharetra et ultrices
  7. Amet nulla facilisi morbi tempus

Columns Block

Cu mea solum dicam, pri no hendrerit instructior, dicunt accommodare cu ius. Nec et ridens viderer, te assum nostro mollis est. Prima omittantur mel cu.

Cu mea solum dicam, pri no hendrerit instructior, dicunt accommodare cu ius. Nec et ridens viderer, te assum nostro mollis est. Prima omittantur mel cu.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Media & Text Block

Quam porttitor massa

Congue quisque egestas diam in arcu cursus euismod quis. Non curabitur gravida arcu ac. Adipiscing commodo elit at imperdiet dui accumsan sit amet nulla. Enim tortor at auctor urna nunc id cursus metus. Leo vel orci porta non pulvinar neque laoreet.

Dignissim sodales ut eu sem integer vitae justo eget. Quisque sagittis purus sit amet volutpat consequat.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Egestas quis ipsum suspendisse ultrices gravida. At consectetur lorem donec massa sapien faucibus.

Pharetra pharetra massa massa ultricies mi quis hendrerit. Odio ut sem nulla pharetra diam sit amet. Magnis dis parturient montes nascetur ridiculus. Ac turpis egestas integer eget aliquet nibh praesent tristique. Quis vel eros donec ac odio tempor orci. Mi bibendum neque egestas congue quisque egestas. A cras semper auctor neque vitae tempus.

Table Block

ID First Name Last Name Profession
1 John Doe Entrepreneur
2 Michael Clarck Web Designer
3 Monica Sherif Author
4 Alex McLaren Analytic

Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper. Dignissim sodales ut eu sem integer vitae justo eget.

Cover Image Block

Quisque sagittis purus sit amet volutpat consequat.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Egestas quis ipsum suspendisse ultrices gravida. At consectetur lorem donec massa sapien faucibus. Quisque id diam vel quam elementum pulvinar etiam.

Left Aligned Image

Has wisi placerat legendos in, eu eos eius lorem consequat. In cum eruditi facilis, qui id facer scripserit. Ne vix nulla eirmod iracundia, vix et accusam officiis. Cum nobis munere partem ei.

Nostrud probatus postulant ex mea. An sit iusto maiestatis, eos cu tempor scriptorem. Has sumo facilisis te, pri essent accusam reprimique ut. Ei zril putent comprehensam his.

No sea docendi explicari, inermis iudicabit persequeris in eos, nam in rebum adolescens. No eius eligendi prodesset sit, mei illum debet ridens ad, persius dignissim hendrerit ex cum. Homero vidisse at pro.

Praesent erroribus rationibus at nec, quem graece eam ea. Ut omnes dolorum est, est nobis indoctum in, mea percipit invenire persecuti id. Quo eu aliquam vivendo argumentum. Ius lucilius forensibus complectitur no, modus libris cu eum, an purto detracto libris cu eum, an purto detracto forensibus complectitur.

Dictumst quisque sagittis purus sit amet volutpat consequat. Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper. Dignissim sodales ut eu sem integer vitae justo eget. Quisque sagittis purus sit amet volutpat consequat.



Source link

U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog

10,000+ Vulnerabilities Found in One Month, and the Patching Problem Has Never Been More Obvious

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 98

Copyright © 2024 All Rights Reserved.