js-digest

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them... The attackers adopted abandoned packages, edited the build files, and let users run the payload for them.

The attackers adopted abandoned packages, edited the build files, and let users run the payload for them.

This attack goes after the trust model, not a software flaw. The compromised packages kept their names, their histories, and the trust that came with them. Only the build instructions changed.

Once a package was adopted, its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build... A second wave used bun install js-digest

atomic-lockfile ‘s package.json contains a preinstall lifecycle hook: "preinstall": "./src/hooks/deps"

A user runs their AUR helper ( yay , paru , or raw makepkg ) to install or update a package.

Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop.

Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop.

The outer package is a largely functional TypeScript npm package (legitimate atomic-lockfile project) with the ELF binary inserted into its source tree.

Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop.

A user runs their AUR helper ( yay , paru , or raw makepkg ) to install or update a package.

This means a developer workstation, maintainer machine, or CI/build host could execute the malware as a side effect of building or installing the compromised AUR package.

Once installed, the malicious npm packages deployed a multi-stage infostealer payload engineered to exfiltrate a broad range of sensitive data, including: Browser credentials — saved passwords, session cookies, and autofill data from Chromium and Firefox-based browsers.

SSH private keys — enabling attackers to pivot to remote servers and infrastructure System environment variables — potentially exposing API tokens, cloud credentials, and application secrets Cryptocurrency wallet data — targeting local wallet files and seed phrases.

Once installed, the malicious npm packages deployed a multi-stage infostealer payload engineered to exfiltrate a broad range of sensitive data, including: Browser credentials — saved passwords, session cookies, and autofill data from Chromium and Firefox-based browsers.

SSH private keys — enabling attackers to pivot to remote servers and infrastructure

its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build, pulling the malicious npm package alongside a couple of legitimate ones for cover.