<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Aglair</title>
    <description>The latest articles on DEV Community by Aglair (@aglairdev).</description>
    <link>https://dev.to/aglairdev</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3976556%2F94faf5ed-cbb1-4f2e-aa98-3fdc59a22a72.jpg</url>
      <title>DEV Community: Aglair</title>
      <link>https://dev.to/aglairdev</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/aglairdev"/>
    <language>en</language>
    <item>
      <title>+400 pacotes AUR foram comprometidos: Atomic Arch</title>
      <dc:creator>Aglair</dc:creator>
      <pubDate>Sat, 13 Jun 2026 00:04:32 +0000</pubDate>
      <link>https://dev.to/aglairdev/400-pacotes-aur-foram-comprometidos-atomic-arch-4ad4</link>
      <guid>https://dev.to/aglairdev/400-pacotes-aur-foram-comprometidos-atomic-arch-4ad4</guid>
      <description>&lt;p&gt;Dia 11 de junho de 2026 (ontem), um atacante assumiu o controle de mais de 400 pacotes do &lt;strong&gt;Arch User Repository (AUR)&lt;/strong&gt; modificando seus scripts de compilação para instalar malware em quem fizesse atualização ou instalação desses pacotes. O caso foi batizado de &lt;strong&gt;Atomic Arch&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  O que aconteceu?
&lt;/h2&gt;

&lt;p&gt;O AUR permite que qualquer usuário "adote" pacotes órfãos (abandonados pelos mantenedores originais). O atacante se aproveitou disso: assumiu centenas de pacotes e alterou os arquivos &lt;code&gt;PKGBUILD&lt;/code&gt; para que, durante a instalação, fosse baixado e executado um pacote npm malicioso.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Duas ondas do ataque:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;1ª onda:&lt;/strong&gt; pacote npm &lt;code&gt;atomic-lockfile&lt;/code&gt; (executado via &lt;code&gt;npm install&lt;/code&gt; no build)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;2ª onda:&lt;/strong&gt; pacote &lt;code&gt;js-digest&lt;/code&gt; (usando Bun como runtime)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;O malware é um binário Linux chamado &lt;code&gt;deps&lt;/code&gt; (Rust) que funciona como &lt;strong&gt;infostealer + rootkit eBPF&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  O que o malware rouba?
&lt;/h2&gt;

&lt;p&gt;O binário vasculha a máquina atrás de:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;GitHub&lt;/strong&gt;: tokens de acesso, SSH keys&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Navegadores baseados em Chromium&lt;/strong&gt;: cookies, sessões, tokens&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Slack, Discord, Microsoft Teams, Telegram&lt;/strong&gt;: tokens de sessão e dados de API&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;HashiCorp Vault&lt;/strong&gt;: tokens&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SSH&lt;/strong&gt;: chaves privadas, known_hosts&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Docker/Podman&lt;/strong&gt;: credenciais de registro&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;VPN&lt;/strong&gt;: arquivos &lt;code&gt;.ovpn&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Históricos de shell&lt;/strong&gt; (bash, zsh, fish)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;npm, OpenAI/ChatGPT&lt;/strong&gt;: tokens de API&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Se executado como &lt;strong&gt;root&lt;/strong&gt;, o malware ativa um &lt;strong&gt;rootkit eBPF&lt;/strong&gt; que se esconde dentro do kernel, escondendo processos, arquivos e sockets de ferramentas de inspeção comuns.&lt;/p&gt;

&lt;p&gt;Ele também cria &lt;strong&gt;persistência via systemd&lt;/strong&gt; (como root ou usuário) e envia os dados roubados para um servidor C2 na rede Tor + upload externo via &lt;code&gt;temp.sh&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  O que &lt;strong&gt;NÃO&lt;/strong&gt; foi afetado
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Os repositórios &lt;strong&gt;oficiais&lt;/strong&gt; do Arch Linux (&lt;code&gt;[core]&lt;/code&gt;, &lt;code&gt;[extra]&lt;/code&gt;, &lt;code&gt;[multilib]&lt;/code&gt;) &lt;strong&gt;não&lt;/strong&gt; foram comprometidos&lt;/li&gt;
&lt;li&gt;Apenas pacotes do &lt;strong&gt;AUR&lt;/strong&gt; foram atingidos&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Como verificar
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Manualmente&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Lista os pacotes AUR instalados&lt;/span&gt;
pacman &lt;span class="nt"&gt;-Qm&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Compare a saída com a lista oficial de pacotes comprometidos mantida pela equipe do Arch Linux:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://md.archlinux.org/s/SxbqukK6IA" rel="noopener noreferrer"&gt;https://md.archlinux.org/s/SxbqukK6IA&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Automatizado&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Script que compara seus pacotes contra a lista oficial ao vivo:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14" rel="noopener noreferrer"&gt;https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-fsSL&lt;/span&gt; https://gist.githubusercontent.com/Kidev/85756c3dcad3623ca5604a8135bafd14/raw/check_aur_infected.sh | bash
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  E se meu sistema estiver infectado?
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Caso tenha fé:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Rotacione TODAS as credenciais: GitHub, SSH, tokens de API, cookies, senhas&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Caso contrário:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Considere reinstalar o Arch: o rootkit eBPF pode sobreviver a tentativas normais de limpeza&lt;/li&gt;
&lt;li&gt;Se o malware foi executado como root, o sistema não pode mais ser confiado sem uma reinstalação completa&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Links
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://archlinux.org/news/active-aur-malicious-packages-incident/" rel="noopener noreferrer"&gt;Arch Linux News: comunicado oficial&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://md.archlinux.org/s/SxbqukK6IA" rel="noopener noreferrer"&gt;Lista oficial de pacotes (Arch Linux HedgeDoc)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://gist.github.com/Kidev/85756c3dcad3623ca5604a8135bafd14" rel="noopener noreferrer"&gt;Script de verificação automatizada&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>linux</category>
      <category>security</category>
      <category>archlinux</category>
      <category>braziliandevs</category>
    </item>
  </channel>
</rss>
