# Timeline — AUR Malware Packages (June 2026) ## Incident Timeline - **June 9-12, 2026**: Malicious commits pushed to 408+ AUR packages - **June 11**: First report on aur-general mailing list (Kusoneko about alvr) - **June 11**: Andre Herbst discovers scope by grepping AUR git mirror - **June 11**: ioctl.fail publishes technical analysis - **June 12**: Community detection scripts published; AUR maintainers cleaning up - **June 12**: David Runge clarifies `arojas` was impersonated via git commit forgery, not a malicious maintainer - **June 12, 17:33**: Jonathan Grotelüschen posts HedgeDoc with updated affected package list - **June 13**: New monitoring accounts identified (ivonahruskova, simongeisler); proposals for commit hash tracking, AUR read-only, and LLM-based scanning discussed - **June 13**: PR #8 (drbbgh) merged — `--refresh` flag for live HedgeDoc package list - **June 13**: PR #7 (liphiwolf) merged — `lockfile-js` detection, expanded package list ## Attack Vector — Wave 1: atomic-lockfile / lockfile-js (npm) 1. Attacker used commit forgery to impersonate maintainer `arojas` 2. Took over orphaned AUR packages via the forged identity 3. Injected `npm install atomic-lockfile` or `npm install lockfile-js` into `.install` and `.hook` files 4. The npm packages `atomic-lockfile@1.4.2` / `lockfile-js` contained a `preinstall` hook executing `./src/hooks/deps` 5. The ELF binary `deps` (SHA256: `6144D4...`) is a Rust-based credential stealer ## Attack Vector — Wave 2: js-digest (bun) 1. Additional attacker accounts `custodiatovar` and `veramagalhaes` took over orphaned packages 2. Injected `bun install js-digest` into PKGBUILD/`.install` files (same NPM publisher `herbsobering`) 3. The npm package `js-digest` contained an embedded ELF payload (SHA256: `7883BD...`) 4. Affected packages include guiscrcpy, netmon-git, inadyn-mt, nodejs-elm, keepassx2, and 26+ more ## Malware Capabilities - **Credential theft**: Discord tokens, GitHub PATs, npm tokens, Slack sessions, Teams/M365 sessions, SSH keys, Vault tokens, Docker/Podman credentials, browser cookies - **Data exfiltration**: Uploads to `temp.sh`, C2 via Tor onion service - **Persistence**: systemd services (root or user mode) with `Restart=always` - **eBPF rootkit**: When run as root with CAP_BPF, hides processes, files, and socket inodes - **Cryptominer staging**: References `/usr/bin/monero-wallet-gui` for potential crypto mining payload