Overview
- Attackers requested ownership of orphaned Arch User Repository packages and modified their PKGBUILD scripts to run npm install atomic-lockfile during package install.
- Analysis shows the atomic-lockfile npm package bundles a native Linux ELF that deploys eBPF code (scales.bpf.c) to hide files and processes and to exfiltrate a wide range of developer secrets.
- Researchers differ on scale: Sonatype reported at least 20 hijacked orphaned packages while IFIN and other reporting claim the campaign may affect hundreds of AUR packages.
- AUR maintainers are removing malicious commits, banning offending accounts, and researchers have published indicators and detection scripts for scanning systems.
- Users should audit installed PKGBUILDs, rotate all exposed credentials and tokens, use published detection tools, and consider full system reinstalls when infection is suspected because the eBPF rootkit can persist after normal cleanup.