{ "file_hashes": [ { "name": "deps (atomic-lockfile variant)", "sha256": "6144D433F8A0316869877B5F834C801251BBB936E5F1577C5680878C7443C98B", "md5": "42B59FDBE1B72895B2951412222EBF40", "size": 3040376, "source": "https://ioctl.fail/preliminary-analysis-of-aur-malware/" }, { "name": "elf (js-digest variant)", "sha256": "7883BDA1FF15425F2DBE622C45A3AE105DDFA6175009BBF0B0CAD9BF5C79B316", "source": "https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577" }, { "name": "cryptominer (atomic-lockfile variant)", "sha256": "47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204", "source": "https://ioctl.fail/preliminary-analysis-of-aur-malware/" }, { "name": "sudo password grabber script", "path": "~/.local/bin/sudo", "sha256": "fd4852334ce1c2d7c9bf0e1c91dbf274a1247989b4827d4f7758cbf3bf42ebfe", "source": "https://github.com/lenucksi/aur-malware-check/issues/24" } ], "npm_packages": [ { "name": "atomic-lockfile", "version": "1.4.2", "variant": "npm", "lifecycle": "preinstall: ./src/hooks/deps", "payload": "src/hooks/deps", "publisher": "herbsobering", "downloads": 134, "status": "pulled" }, { "name": "js-digest", "variant": "bun", "publisher": "herbsobering", "status": "pulled", "source": "https://socket.dev/npm/package/js-digest" }, { "name": "lockfile-js", "variant": "npm", "publisher": "herbsobering", "status": "pulled", "payload": "embedded ELF (same SHA256 as atomic-lockfile variant)" } ], "network": { "c2": { "onion": "olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion", "path": "/api/agent", "method": "POST", "ports": [80, 8080] }, "upload": { "host": "temp.sh", "path": "/upload", "method": "POST" }, "staging": [ "olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion/bin/linux", "olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion/bin/sha256/linux" ], "credential_targets": [ "api.openai.com", "discord.com / api/v9/users/@me", "teams.microsoft.com / authsvc.teams.microsoft.com", "api.github.com", "registry.npmjs.org", "slack.com" ] }, "persistence": { "paths": [ "/var/lib/", "/etc/systemd/system/.service", "~/.config/systemd/user/.service" ], "indicators": ["Restart=always", "RestartSec=30"] }, "ebpf": { "maps": [ "/sys/fs/bpf/hidden_pids", "/sys/fs/bpf/hidden_names", "/sys/fs/bpf/hidden_inodes" ], "capabilities": ["CAP_BPF", "CAP_SYS_ADMIN"] }, "artifacts": [ "/usr/bin/monero-wallet-gui", "~/.npm/_cacache/", "~/.bun/install/cache/", "~/.local/bin/sudo", "/tmp/.cache" ], "git_commits": [ { "package": "htbrowser-bin", "commit": "462c21877fe6d2f563ed6620ef227e06ac8c51c8", "email": "annikkitikkanen@gmail.com", "source": "https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/TND7HA2KBQ46OHHUMMIAHKGXZE4WALM6/" } ] }