Arch Linux users face a significant supply chain compromise after maintainer 'arojas' infected 408+ AUR packages with malicious code. The packages were modified with preinstall scripts that leverage npm to install the atomic-lockfile payload, marking a serious breach of Arch's user repository system.

The malicious payload combines infostealer behavior with an eBPF rootkit, which is unusual for AUR supply chain attacks. Socket.dev shows the atomic-lockfile NPM package had 134 downloads, indicating potential exposure beyond just Arch users. The attacker's GitHub profile reveals a container image that functions as a reverse shell tool, suggesting premeditated malicious intent.

Affected users should immediately check their systems using the aur_check.sh script and review Ioctl's detailed analysis for indicators of compromise. Given the rootkit presence, normal compromise procedures apply: rotate all credentials and consider complete system reinstallation. Package trust has been fundamentally broken.

This attack demonstrates the persistent risks in community-maintained repositories where package adoption can quickly turn malicious. While most compromised packages are rare, the combination of stealthy rootkit techniques with credential theft represents a sophisticated threat that bypasses traditional security measures.