A large scale supply chain attack targeting Arch Linux users has compromised more than 400 packages in the Arch User Repository (AUR), exposing developers and system administrators to credential theft and stealth malware infections. Security researchers reported that attackers hijacked abandoned AUR packages and altered their build scripts to silently install a malicious information stealer on systems during package installation or updates. The campaign, identified by Sonatype as “Atomic Arch,” specifically targeted orphaned projects where maintainers were no longer active, allowing threat actors to take ownership of packages without raising immediate suspicion. Researchers emphasized that Arch Linux official repositories were not impacted, with the attack confined exclusively to the community maintained AUR ecosystem. The incident has raised concerns about software trust models, as attackers retained package names, histories, and reputations while quietly modifying package build instructions to execute malicious payloads during installation.
According to findings from Sonatype and independent researchers, the attackers manipulated package build files, including PKGBUILD and .install scripts, to trigger installation of a malicious npm package known as atomic-lockfile during software builds. The package reportedly contained a preinstall hook that executed a bundled Linux ELF binary named “deps,” which launched malware designed to steal sensitive information from infected systems. Confirmed affected examples included packages such as alvr and premake-git, though community trackers estimate the total number of compromised packages has exceeded 400 and may continue to rise as investigations progress. Researchers said the malware, written in Rust, specifically targeted developer environments and enterprise workstations by harvesting browser cookies, authentication tokens, SSH credentials, shell history, Docker and Podman access details, VPN configurations, GitHub and npm credentials, HashiCorp Vault tokens, and account related information tied to OpenAI and ChatGPT services. Stolen information was reportedly transmitted over HTTP to temporary hosting infrastructure while command and control operations were managed through Tor based onion services using local proxy communication.
Security analysts noted that persistence mechanisms embedded within the malware allowed it to survive reboots by creating systemd services configured with automatic restart functionality. Systems infected with root privileges faced greater risks because the malware could also deploy an optional eBPF rootkit designed to conceal malicious processes, process names, and network activity from conventional monitoring tools. Researchers clarified that the rootkit did not elevate privileges independently but instead relied on existing administrative access and appropriate permissions to activate. Once enabled, it reportedly used hidden BPF maps to obscure malware artifacts and interfere with debugging attempts, making detection and cleanup significantly more difficult. Analysts also discovered a secondary file linked to monero-wallet-gui that may function as a cryptominer, though its behavior remains under investigation. Security researchers stated that simply uninstalling affected AUR packages may not fully remove the compromise, particularly in cases where malicious payloads executed with elevated permissions.
Further investigations revealed a second wave of attacks using another malicious package deployment technique involving bun install js-digest, linked through separate accounts allegedly connected to the same npm publisher responsible for atomic-lockfile. Community reports suggest that this secondary campaign introduced a different malicious binary while targeting additional packages across AUR. Arch maintainers have since started reversing malicious changes, banning associated accounts, and encouraging users to report suspicious package behavior through mailing list discussions. Security experts advised users who installed or updated AUR packages after June 11 to review community affected package lists, inspect build histories for suspicious install commands, rotate exposed credentials, and investigate unknown systemd services or suspicious files. Researchers warned that recently adopted packages or repositories showing unexpected changes after periods of inactivity should be treated cautiously, especially within open source ecosystems where trust is often inherited from a project’s history rather than active maintainer verification. Sonatype is tracking the campaign under identifier Sonatype 2026 003775 with a reported CVSS score of 8.7, while no CVE identifier has been assigned at this stage.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
