6月4日に紹介したRust製マルウェア「IronWorm」と同一のツールキットが、今度はLinuxディストリビューションの一つ、Archの有志運営リポジトリ「AUR」のパッケージを乗っ取る攻撃キャンペーン「AtomicArch」で配られていると報告されています。OSの中核で動くeBPFルートキットやTor経由のC2、暗号資産ウォレットの窃取といった中身はそのままで、これまでnpm／GitHubを伝って自己増殖していた配布手段だけが、AURの乗っ取りへと置き換わった形です。 この手口は、攻撃者が新たに信頼を築くのではなく、メンテナ不在で放棄された既存パッケージの所有権を引き継ぎ、利用者がすでに寄せている信頼ごと乗っ取る点が特徴とされています。 【要点の整理】 ・攻撃者は引き継いだAURパッケージのPKGBUILDなどのビルド・インストール定義に、悪意のあるnpmパッケージatomic-lockfileを導入する後処理を追記し、利用者がビルド・導入する際にこれが取得・実行される ・実際のマルウェアはパッケージ本体ではなく外部のnpm依存（atomic-lockfile等）に置かれる構成。これにより従来の検知をすり抜けやすく、タイポスクワットやブランド名の詐称とは別の、既存パッケージの所有権の移転を突く経路とされる ・atomic-lockfileにはLinux向け実行ファイルが同梱され、preinstall（導入時に自動実行されるスクリプト）で起動。6月12日には第2波として、npmの代わりにJavaScript実行環境Bunを使う経路や、js-digest・lockfile-jsといった別パッケージも確認されている ・ペイロードはptraceによるデバッガ検知やデータ持ち出し（POST /upload）の機構を備え、root権限で動いた場合はeBPFでプロセス・ファイル・通信を隠蔽し得るとされる。窃取の標的はGitHub・SSH・HashiCorp Vault・ブラウザCookie・Slack／Discord／Teams／Telegramと広範で、これらはIronWormの実装と一致すると分析されている ・影響を受けるのは該当AURパッケージをビルド・導入した端末で、公式Archリポジトリは対象外。件数は当初の数十件から急増し、複数の波を通じて最大約1,500件規模に及ぶ可能性も報告されている（深刻度はCVSS 8.7、CVE未採番） 同じツールキットが、npm／GitHubワームに続いてAUR乗っ取りという別の配布路でも使われていた格好です。ペイロードはそのままに配布手段だけを差し替えており、同じ実装が経路を変えながら使い回されているとみられます。 詳細は以下を参照： x.com/JFrogSecurity/status/2… sonatype.com/blog/atomic-arc…

🚨 🚨 HUGE Arch Linux Supply-Chain Attack: "Atomic Arch" 🚨 If you use Arch Linux and the AUR, read this immediately. Threat actors have hijacked hundreds of community-maintained packages to deploy a massive credential-stealer and eBPF-based rootkit. Here is what you need to know: 🔍 How It Happened Target: The Arch User Repository (AUR). Official Arch repos are safe. The Trick: Attackers took over abandoned/"orphaned" packages. They didn't modify the apps themselves; they injected malicious npm / bun install commands into the PKGBUILD scripts. The Trap: Because it's in the build phase, the malware runs before the software even compiles. 💀 What the Malware Does Steals Developer Data: Instantly harvests SSH keys, AWS credentials, GitHub tokens, crypto wallets, and browser session cookies (bypassing MFA). Deep Persistence: If built with root/sudo, it drops an eBPF rootkit that completely hides its processes from ps and htop by masking as normal kernel threads. 🛡️ What You Need to Do NOW Audit Logs: Check your recent AUR build history/caches for atomic-lockfile or js-digest. Rotate Everything: If you updated a compromised package, assume all API keys, SSH keys, and passwords on that machine are compromised. Burn and rotate them immediately. Nuke & Reinstall: Because eBPF rootkits are incredibly stealthy, a standard malware scan won't cut it. If it ran as root, wipe the drive and reinstall from scratch. Stay vigilant, read your PKGBUILD files before installing, and double-check recently adopted packages! 💻⚠️

件のatomic-lockfileは何をするマルウェアだったんだろね

🛡️ Dragon-Lady Push-Guard has been updated to V0.2.5 with the latest vulnerabilities added. Push Guard is a local Git pre-push guard for likely secret leaks. It scans the content being pushed, reports likely secret patterns, redacts all matched values, and exits nonzero so Git blocks the push. pip install push-guard Current Signals: -GitHub classic token prefixes: ghp_, gho_, ghu_, ghs_, ghr_ -GitHub fine-grained token prefix: github_pat_ -OpenAI-style sk-... tokens -AWS access key IDs: AKIA... / ASIA... -private key block markers -generic long api_key, token, secret, or password assignments, including underscore/dash-delimited names such as AWS_SECRET_ACCESS_KEY -Astro config loader/C2 patterns in astro.config.* and related .gitignore helper-artifact hiding, based on reported config-as-code supply-chain abuse -OpenClaw dependency versions before 2026.4.23 and risky OpenClaw open-DM/wildcard/unsandboxed configuration lines -Agentjacking-style Sentry MCP wiring and fake Sentry resolution text that tries to make coding agents run npx diagnostics -known compromised npm package names in dependency metadata, including atomic-lockfile and ecto-flag-read -AtomicArch/IronWorm-style AUR PKGBUILD, .SRCINFO, or .install metadata that references atomic-lockfile or invokes npm/npx loaders for it -DPRK/Famous Chollima-style npm loader behavior using Socket.IO, /api/service, 0001.dat, and Node execution paths -npm v12 readiness regressions in pushed npm metadata, including old npm pins, Git or remote tarball dependency sources, and broad repo .npmrc opt-ins for install-time execution or dependency fetching All evidence is redacted as <redacted> pypi.org/project/push-guard/

【AUR 400超パッケージがrootkit/infostealer配布に悪用】 Arch LinuxのAURで、400以上のパッケージがrootkitおよびinfostealer配布に悪用されたと報じられています。 攻撃ではatomic-lockfileという悪性npmパッケージが使われ、GitHub、SSH、Vault、Docker/Podman、VPN、Slack、Teams、ブラウザCookieなど、開発者環境の秘密情報が標的になっています。 これは単なる端末感染ではなく、リポジトリ、CI/CD、クラウド環境への二次侵入につながり得るサプライチェーン攻撃です。 AUR利用者は影響パッケージ、PKGBUILDのpost-install、atomic-lockfileの痕跡を確認し、感染が疑われる場合は認証情報ローテーションを優先してください。 #CyberSecurity #SupplyChain #Linux #ArchLinux #AUR #Infostealer #DevSecOps bleepingcomputer.com/news/se…

400 Arch Linux AUR packages are pushing a rootkit. A new maintainer spoofed a trusted publisher and injected preinstall scripts that download a malicious npm package called atomic-lockfile. It's a credential stealer with eBPF rootkit capabilities targeting browser data, Slack, Teams, Discord, GitHub, npm, Vault, Docker. AUR isn't vetted. Anyone who's run yay -S knows you're trusting strangers with root on your machine. I've been there. The difference between a package manager and a supply chain attack is one maintainer change I didn't notice. Read More: bleepingcomputer.com/news/se…

If you pulled a TanStack package off npm around June 10, the Mini Shai-Hulud worm may have reached you. It spread to 170 packages across scopes like MistralAI and UiPath, all carrying valid provenance signatures. How far back are you willing to audit your lockfile?

uhmm, I think a bundled package lockfile is basically shrinkwrap, no? that's used for consumers too

Homebrew 6.0.0 shipped. What's actually new: - Dependencies resolve ~40% faster on large graphs (they rewrote the solver) - Native Apple Silicon bottles for everything — no more Rosetta fallback - Brewfile.lock.json — finally deterministic installs across machines The speedup isn't marketing. They switched from a custom SAT solver to a CDCL-based approach. For non-nerds: it makes smarter guesses and backtracks less. One gripe: the new lockfile doesn't pin to exact commit hashes, just versions. So you're still trusting upstream tags. Better than nothing, but not fully reproducible. If you manage dev environments across multiple Macs, this is worth the upgrade.

Manage the /stop-slop skill with qvr — not just install it: qvr add github.com/hardikpandya/stop… → commit-pinned in a reproducible lockfile → qvr switch improve --latest to bump versions → trace every time the skill actually fires Skills you can version audit, not just drop in a folder. github.com/astra-sh/qvr

It's not even the right command either. We need a way to honor a frozen lockfile *within the dependency*

😔 sad I moved all my projects to bun @grok does pnpm have something like bun install’s frozen lockfile? Just curious

bun install —frozen-lockfile?

Try `bun - - frozen-lockfile`

Aguara helps teams answer a practical question: Can we trust this repository before we install it, run it in CI, or give it to an AI coding agent? That question is getting harder to answer. A repo is no longer just source code. It can carry lockfiles, install scripts, package-manager policy, dependency aliases, CI assumptions, agent instructions, and local agent configuration. Any of those can change what gets trusted or executed. Over the last week, we expanded Aguara across that workflow: > more known-malicious package coverage from lockfiles, including around 202,000 additional package entries visible to local checks > npm v12 and pnpm trust-policy checks > alias resolution, so a dependency cannot hide behind another name > Bun and Yarn Berry lockfile coverage before install > checks for agent config and instruction files > CI baseline/diff mode, so teams can adopt it without blocking on old findings > fuzzing across parser surfaces, so malformed repo files cannot easily crash the scanner The goal is not more alerts. The goal is to give developers, DevOps teams, and security teams a fast local review before trust becomes execution. No package execution. No scan-time network calls. No telemetry. No LLM calls.

🚀 Introducing ScaffBench. Even with Fable 5 captured! A benchmark for measuring how good AI coding agents are at creating real fullstack projects. We tested 3 creation paths for each agent: 📝 Prompt-only - agent writes every file, manifest, and lockfile from scratch. No help. 📦 BF mention - no MCP tools, but the prompt names the Better-Fullstack CLI and docs. Agent composes the create command itself. ⚡ MCP - agent uses the Better-Fullstack MCP. Same specs. Same prompts. Same validation. The only variable was the creation mode. ScaffBench confirmed what I felt while building Better-Fullstack: Agents are great at deciding what to build. They're much worse at hand-writing every config, package version, lockfile, and framework edge case from scratch. Give them tools and even smaller models become genuinely useful. 102 runs. 15 models. 5 agent CLIs. The pattern held every time. better-fullstack.dev/blog/sc… better-fullstack.dev/

🚨 AUR malware (atomic-lockfile/lockfile-js/nextfile-js, 1500 pkgs). Bash script that detects by behavior, not name lists: npm/bun in .install hooks, shell obfuscation, /tmp payloads. Read-only. 🔗 gist.github.com/l33tm4st3r/f… #ArchLinux #infosec

🚨 AUR malware (atomic-lockfile/lockfile-js/nextfile-js, 1500 pkgs). Bash script that detects by behavior, not name lists: npm/bun in .install hooks, shell obfuscation, /tmp payloads. Read-only. 🔗 gist.github.com/l33tm4st3r/f… #ArchLinux #infosec

If you use AUR for any reason, please check all of your build files, especially PKGBUILD for any traces of calling out either js-digest or atomic-lockfile from the npm package manager. If you have installed either, your computer has malware. Do not install if you see these.

Manage the /improve skill with qvr — not just install it: qvr add github.com/shadcn/improve → commit-pinned in a reproducible lockfile → qvr switch improve --latest to bump versions → trace every time the skill actually fires Skills you can version audit, not just drop in a folder. github.com/astra-sh/qvr