deps

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.

The attackers adopted abandoned packages, edited the build files, and let users run the payload for them.

atomic-lockfile ‘s package.json contains a preinstall lifecycle hook: "preinstall": "./src/hooks/deps"

npm automatically runs that hook before installing the package which directly executes the malicious ELF binary.

A user runs their AUR helper ( yay , paru , or raw makepkg ) to install or update a package.

Build the package, and the binary runs... The attackers adopted abandoned packages, edited the build files, and let users run the payload for them.

For persistence, it installs a systemd service with Restart=always. With root it copies itself under /var/lib/ and writes a unit under /etc/systemd/system/; as a normal user it uses the home directory and a per-user unit under ~/.config/systemd/user/.

For persistence, it installs a systemd service with Restart=always. With root it copies itself under /var/lib/ and writes a unit under /etc/systemd/system/; as a normal user it uses the home directory and a per-user unit under ~/.config/systemd/user/.

Persistence depends on privilege level at execution time: Root: Copies itself to a generated path under /var/lib/ , installs a systemd service unit under /etc/systemd/system/ Non-root: Uses the current user’s home directory and installs a per-user systemd unit under ~/.config/systemd/user/

For persistence, it installs a systemd service with Restart=always. With root it copies itself under /var/lib/ and writes a unit under /etc/systemd/system/; as a normal user it uses the home directory and a per-user unit under ~/.config/systemd/user/.

For persistence, it installs a systemd service with Restart=always. With root it copies itself under /var/lib/ and writes a unit under /etc/systemd/system/; as a normal user it uses the home directory and a per-user unit under ~/.config/systemd/user/.

Persistence depends on privilege level at execution time: Root: Copies itself to a generated path under /var/lib/ , installs a systemd service unit under /etc/systemd/system/ Non-root: Uses the current user’s home directory and installs a per-user systemd unit under ~/.config/systemd/user/

When it does activate, it hides the malware's own processes, process names, and socket inodes from standard tools, using pinned BPF maps named hidden_pids, hidden_names, and hidden_inodes, and it kills attempts to attach a debugger.

The outer package is a largely functional TypeScript npm package (legitimate atomic-lockfile project) with the ELF binary inserted into its source tree.

A user runs their AUR helper ( yay , paru , or raw makepkg ) to install or update a package.

This means a developer workstation, maintainer machine, or CI/build host could execute the malware as a side effect of building or installing the compromised AUR package.

When deps runs with CAP_BPF (i.e., as root), it loads a kernel-level eBPF program that hides its own processes, process names, and socket inodes from userspace.

it kills attempts to attach a debugger.

It collects: GitHub, npm, and HashiCorp Vault tokens, plus OpenAI/ChatGPT bearer material and account metadata

It collects: Cookies, tokens, and local storage from Chromium-based browsers (Chrome, Edge, Brave, and many more)

It collects: SSH keys, known_hosts, and shell histories Docker and Podman credentials and VPN profiles

It collects... GitHub, npm, and HashiCorp Vault tokens... SSH keys, known_hosts, and shell histories Docker and Podman credentials and VPN profiles

The payload targets SSH keys, GitHub tokens, npm credentials, Docker and Podman auth, HashiCorp Vault tokens, browser session data, Slack, Discord, Microsoft Teams, Telegram, VPN config files, and shell histories.

It also enumerates Chromium-family browser profiles – reading SQLite cookie databases and LevelDB local storage

The payload targets SSH keys

When deps runs with CAP_BPF (i.e., as root), it loads a kernel-level eBPF program that hides its own processes, process names, and socket inodes from userspace.

The payload targets SSH keys, GitHub tokens, npm credentials, Docker and Podman auth, HashiCorp Vault tokens, browser session data, Slack, Discord, Microsoft Teams, Telegram, VPN config files, and shell histories.

it kills attempts to attach a debugger.

Collector results are serialized into shared output objects and sent as POST /api/agent to the onion C2

Command and control runs through a Tor onion service via a local loopback proxy.

Collector results are serialized into shared output objects and sent as POST /api/agent to the onion C2 through a local loopback/SOCKS transport.

Command and control runs through a Tor onion service via a local loopback proxy.

The local loopback traffic is just an intermediate relay layer – the actual destination is that Tor hidden service, making the C2 highly resistant to takedown.

its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build, pulling the malicious npm package alongside a couple of legitimate ones for cover.

Collector results are serialized into shared output objects and sent as POST /api/agent to the onion C2 through a local loopback/SOCKS transport.

Stolen files go out over HTTP to temp.sh.