Starting on June 11, 2026, the Arch User Repository (AUR) was targeted by malware which rapidly compromised over 1,500 packages. The AUR repository allows for abandoned community packages to be taken over by a new maintainer, which was exploited by the attackers to claim ownership.
Once the packages were adopted by the malicious maintainers, the next part should sound familiar: The package build scripts, which are executed by the Arch yay and paru package managers, were modified to install malicious NPM packages (atomic-lockfile and js-digest) each containing the now-usual suite of infostealer malware targeting browser credentials and tokens, SSH private keys, package repository tokens, cloud compute, AI tokens, and crypto wallets.
The malware once installed uses several tricks to cloak itself by renaming processes, and to install systemd services to restart itself, and leveraging eBPF filtering in the kernel to hide the sockets and processes further. It specifically targets browsers and Electron-based applications, which are basically a light-weight Chromium browser disguised as an application anyway. Slack, Discord, Signal, and many more use the Electron wrapper.
A preliminary analysis of the malware is available, which breaks down the exact behavior in more detail and lists the known targets of the malware.
