atomic-lockfile

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.

The attackers adopted abandoned packages, edited the build files, and let users run the payload for them.

This attack goes after the trust model, not a software flaw. The compromised packages kept their names, their histories, and the trust that came with them. Only the build instructions changed.

Once a package was adopted, its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build... A second wave used bun install js-digest

Sonatype researchers say that the threat actor hijacked at least 20 orphaned packages on AUR and pushed atomic-lockfile by modifying the PKGBUILD file - a Bash script with the build information needed by Arch Linux packages.

atomic-lockfile ‘s package.json contains a preinstall lifecycle hook: "preinstall": "./src/hooks/deps"

Analysis identified references to an eBPF program ( scales.bpf.c ) and to libbpf APIs including: bpf_object__load bpf_program__attach bpf_map__pin

A user runs their AUR helper ( yay , paru , or raw makepkg ) to install or update a package.

They modified the packages' PKGBUILD to introduce a post-install script that executes npm install atomic-lockfile minimist chalk during package installation, causing affected systems to retrieve and install the npm package atomic-lockfile.

the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.

Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop.

Static analysis identified functionality associated with process, file, and network hiding. The eBPF-related functionality references hooks for getdents64(), the system call used to enumerate directory entries, and maintains structures named hidden_pids, hidden_names, and hidden_inodes.

The outer package is a largely functional TypeScript npm package (legitimate atomic-lockfile project) with the ELF binary inserted into its source tree.

Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop.

A user runs their AUR helper ( yay , paru , or raw makepkg ) to install or update a package.

This means a developer workstation, maintainer machine, or CI/build host could execute the malware as a side effect of building or installing the compromised AUR package.

the npm package installed a Linux executable with references to an eBPF rootkit that could hide processes, files, and network interfaces.

They modified the packages' PKGBUILD to introduce a post-install script that executes npm install atomic-lockfile minimist chalk during package installation, causing affected systems to retrieve and install the npm package atomic-lockfile.

the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile.

The executable also contains functionality associated with Linux socket diagnostics interfaces, including NETLINK_SOCK_DIAG, and logic related to debugger detection through PTRACE_ATTACH and PTRACE_SEIZE, suggesting efforts to reduce visibility and hinder analysis.

The binary contains references to GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, Slack, Discord, Microsoft Teams, and Telegram data stores.

SSH private keys — enabling attackers to pivot to remote servers and infrastructure System environment variables — potentially exposing API tokens, cloud credentials, and application secrets Cryptocurrency wallet data — targeting local wallet files and seed phrases.

The binary contains references to GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, Slack, Discord, Microsoft Teams, and Telegram data stores. Taken together, these references strongly indicate credential and token harvesting functionality.

A report ... notes that more than 400 packages ... are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens.

The executable also contains functionality associated with Linux socket diagnostics interfaces, including NETLINK_SOCK_DIAG, and logic related to debugger detection through PTRACE_ATTACH and PTRACE_SEIZE, suggesting efforts to reduce visibility and hinder analysis.

its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build, pulling the malicious npm package alongside a couple of legitimate ones for cover.

The executable also includes archive support, multipart form-data handling, and HTTP upload functionality, including references to POST /upload, indicating potential data collection and exfiltration capabilities.