GoKawiilLast Updated:
What’s Happening
It appears a new AUR package maintainer impersonating a trusted maintainer adopted and infected 408+ packages. The compromise was reported and other AUR maintainers have been working to remove the infected packages.
The affected packages were modified with preinstall scripts to use npm to install the atomic-lockfile package, a malicious payload.
Here’s an example of the change:
This blog has a deep dive into the attack.
ioctl.fail – 11 Jun 26 Preliminary analysis of AUR malware Malware Analysis Report: deps Report date: 2026-06-11 VT Link Triage Link Note: The following report was very hastily written by Codex. (I have fact-checked it against the IDA decompilation though 🐉) Scope and Handling This report summarizes...
Actions
If you don’t use Arch (btw), you’re fine.
Arch users: review the list of affected packages and use this script to check your exposure: https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992 Review the Ioctl blog for the indicators of compromise and if found, preserve the system for forensic investigation as appropriate. If packages are found, follow normal compromise procedures. Rotate all credentials and consider reinstalling Arch. The possibility of a rootkit removes the possibility of system trust.
... continue reading