Last Updated: 2026-06-12T04:22:42Z
What’s Happening
It appears a new AUR package maintainer (arojas) adopted and infected 408+ packages. The compromise was reported and other AUR maintainers have been working to remove the infected packages.
The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload.
Here’s an example of the change:
This blog has a deep dive into the attack.
Actions
If you don’t use Arch (btw), you’re fine.
- Arch users: review the list of affected packages and use this script to check your exposure: aur_check.sh · GitHub
- Review the Ioctl blog for the indicators of compromise and if found, preserve the system for forensic investigation as appropriate.
- If packages are found, follow normal compromise procedures. Rotate all credentials and consider reinstalling Arch. The possibility of a rootkit removes the possibility of system trust.
Notes
Most of these packages are rare, but the scope is significant. Also, it’s rare to see a supply chain attack of this nature go so far as an eBPF rootkit in addition to infostealer behavior.
Socket.dev has the malicious NPM package. It shows 134 downloads.
https://socket.dev/npm/package/atomic-lockfile
The NPM package is maintained by user herbsobering. Searching that username on GitHub reveals a single container image that appears to be a reverse shell/proxy tool. Package herbsobering430 · GitHub