# Indicators of Compromise (IOCs) - AUR Malware Campaign June 2026 # Sources: https://ioctl.fail/preliminary-analysis-of-aur-malware/ # https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992 # https://github.com/lenucksi/aur-malware-check/issues/24 ## File Hashes ELF Payload (deps - atomic-lockfile variant): SHA256: 6144D433F8A0316869877B5F834C801251BBB936E5F1577C5680878C7443C98B MD5: 42B59FDBE1B72895B2951412222EBF40 Size: 3,040,376 bytes ELF Payload (js-digest variant): SHA256: 7883BDA1FF15425F2DBE622C45A3AE105DDFA6175009BBF0B0CAD9BF5C79B316 Source: IFIN Discourse / socket.dev analysis Additional sample (cryptominer - atomic-lockfile variant): SHA256: 47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204 ## Malicious NPM Packages ### atomic-lockfile (npm variant) Name: atomic-lockfile Version: 1.4.2 Lifecycle: "preinstall": "./src/hooks/deps" Payload: src/hooks/deps Publisher: herbsobering (npmjs.com/~herbsobering) Downloads: 134 (at time of detection) ### js-digest (bun variant) Name: js-digest Installer: bun install js-digest (injected into PKGBUILD/.install hooks) Payload: embedded ELF (SHA256 above) Publisher: herbsobering (same NPM account) Status: Pulled from NPM (confirmed by Socket.dev) ### lockfile-js (npm variant) Name: lockfile-js Installer: npm install lockfile-js (injected into PKGBUILD/.install hooks) Payload: embedded ELF (same SHA256 as atomic-lockfile variant) Publisher: herbsobering (same NPM account) Source: Sonatype blog post ### ansi-colors (bun companion — NOT in automated scan list) Name: ansi-colors Installer: bun add ansi-colors (injected via obfuscated .install hooks alongside nextfile-js) Note: Shares name with legitimate popular npm package (~500M downloads). Used as cover alongside nextfile-js in htbrowser-bin attack. Excluded from malicious_npm_packages.txt to avoid false positives. Source: https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/TND7HA2KBQ46OHHUMMIAHKGXZE4WALM6/ (Nicolas Boichat, 2026-06-14) ## Network Indicators (C2) Onion: olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion Path: POST /api/agent HTTP/1.0 Ports: TCP/80, TCP/8080 Upload: temp.sh POST /upload HTTP/1.1 Local: 127.0.0.1 (SOCKS-style loopback transport) ## Staging olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion/bin/linux olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion/bin/sha256/linux ## Third-Party Endpoints (used for credential validation) api.openai.com discord.com / api/v9/users/@me teams.microsoft.com / authsvc.teams.microsoft.com api.github.com registry.npmjs.org slack.com ## Persistence Indicators /var/lib/ (root install) /etc/systemd/system/.service (root systemd) ~/.config/systemd/user/.service (user systemd) Restart=always RestartSec=30 ## eBPF Rootkit Indicators /sys/fs/bpf/hidden_pids /sys/fs/bpf/hidden_names /sys/fs/bpf/hidden_inodes CAP_BPF / CAP_SYS_ADMIN required ## Filesystem Artifacts /usr/bin/monero-wallet-gui (potential cryptominer) ~/.npm/_cacache/ (npm cache of malicious npm packages — see malicious_npm_packages.txt) ~/.bun/install/cache/ (bun cache — bun variant of the attack) ~/.local/bin/sudo (sudo password grabber) /tmp/.cache (captured sudo passwords) ## Artifact Details ### sudo password grabber Path: ~/.local/bin/sudo SHA256: fd4852334ce1c2d7c9bf0e1c91dbf274a1247989b4827d4f7758cbf3bf42ebfe Source: https://github.com/lenucksi/aur-malware-check/issues/24 Behavior: Intercepts sudo calls, captures password to /tmp/.cache, then removes itself after successful authentication. ## Attacker Accounts AUR: krisztinavarga (malicious maintainer for alvr) AUR: custodiatovar (malicious maintainer, bun/js-digest wave — 13 packages) AUR: veramagalhaes (malicious maintainer, bun/js-digest wave — 13 packages) Git: PLYSHKA (commit author name used for impersonation) NPM: herbsobering GH: fardewoak (container registry: herbsobering430) AUR: meryemplath (took over pypiserver, anythingllm-cli-bin, python-dbapi-compliance) AUR: laurentbavaud (banned — zathura-gruvbox-git, python2-mutagen, fastoggenc) AUR: vitoriapires (confirmed malicious by Fabio Loli) AUR: catringiess (confirmed malicious by Fabio Loli) AUR: dominikgross (confirmed malicious by Fabio Loli) AUR: skarbricat (all PKGBUILDs contained malicious code — Jason Marinaro) ## Malicious Git Commits htbrowser-bin: 462c21877fe6d2f563ed6620ef227e06ac8c51c8 (obfuscated bun payload) Attacker email: annikkitikkanen@gmail.com ## Impersonated Accounts AUR: arojas (legitimate Arch Linux maintainer — identity forged by attacker via git commit forgery; see Impersonation Clarification in README)