AUR packages compromised with Infostealer and Rootkit
Points and comments are a snapshot, not live.
A fake maintainer compromised 408+ Arch AUR packages with infostealer and eBPF rootkit malware.
An attacker impersonating a trusted AUR maintainer adopted 408+ orphaned packages and injected malicious preinstall scripts. Initial infections used npm to install a malicious `atomic-lockfile` package; later variants used Bun to install `js-digest`. The malware included an infostealer and eBPF rootkit capable of hiding processes and files. AUR maintainers removed all malicious commits by June 11, 2026. Affected Arch users should review the package list, check for compromise indicators including the SHA256 hash `7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316`, and monitor for suspicious eBPF maps named `hidden_pids`, `hidden_names`, or `hidden_inodes`. If compromised, full system reinstall is recommended due to rootkit presence.
What commenters are saying
Commenters note this is the third or fourth major AUR compromise in recent years, with one mentioning ongoing AUR downtime issues over two years. The broader consensus is that AUR's current adoption mechanism for orphaned packages is fundamentally insecure and requires manual PKGBUILD review by users. Several commenters report having affected packages installed but escaping infection because they ran outdated versions before the compromise window or chose alternative packages. A top comment highlights that the `comm` command provides a quick way to check for overlaps between installed and compromised packages, though it does not verify infection timestamps. One user switched to CachyOS but notes the issue applies to any distribution using similar trust models.
False positives were a concern: some packages like `clang19` appeared on the list but users' versions were from official repos predating the compromise.