'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

On 11 June 2026, supply-chain security researchers at Sonatype disclosed Atomic Arch, a campaign that hijacked hundreds of packages in the Arch User Repository (AUR) — the community-maintained collection of build recipes that Arch Linux users routinely compile and install on their own machines. Rather than exploit a server-side flaw, the attackers abused the AUR's trust model: they adopted orphaned packages whose original maintainers had walked away, then rewrote the build scripts to pull in malware during installation.

What happened

Once an orphaned project was adopted, its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build. The malicious npm package, atomic-lockfile@1.4.2, carried a preinstall hook that executed a bundled Linux ELF binary named deps — a credential stealer that, on systems where it ran as root, could load a second-stage eBPF payload (a code file named scales.bpf.c) to gain rootkit-like stealth. To make the tampering look legitimate, the attackers spoofed git commit metadata so the changes appeared to come from a long-standing maintainer; an Arch Linux Trusted User later confirmed the impersonated account had never actually been compromised.

The stealer was built for developer workstations and build environments. Reported targets included browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub and npm credentials, HashiCorp Vault material, Docker and Podman configuration, SSH keys, VPN material, and shell histories.

Impact

More than 400 AUR packages were confirmed hijacked, with one community master list reaching roughly 408 entries and consolidated lists climbing higher as the investigation continued.
The malicious atomic-lockfile npm package had only a small footprint — on the order of 134 weekly downloads before it was pulled from the registry.
Sonatype tracks the campaign as Sonatype-2026-003775, assigning it a CVSS score of 8.7; no CVE has been issued.
A second wave on 12 June switched to Bun-based installation paths, indicating the operators were actively iterating to evade detection.

Why it matters

The AUR is explicitly community-curated and carries a standing warning that users review build scripts before installing — but in practice, a package's name and history are trusted far more than whoever maintains it today. Atomic Arch turns that gap into a delivery channel: an abandoned package that suddenly sprouts new install hooks now deserves the same suspicion as one from a stranger. The choice of victims is also telling. By targeting Linux developer machines — full of SSH keys, cloud credentials, and source-control tokens — the operators positioned themselves to pivot from a single compromised workstation into the software and infrastructure those developers maintain.

Timeline

June 11, 2026

Sonatype researchers disclose the 'Atomic Arch' campaign after spotting orphaned AUR packages whose build scripts had been modified to pull a malicious npm dependency.

June 11, 2026

Community trackers and the Arch aur-general mailing list begin cataloguing the affected packages, with one consolidated list reaching roughly 408 entries.

June 12, 2026

A second wave is observed using Bun-based installation paths instead of npm alone; consolidated community lists climb into the thousands while AUR maintainers remove malicious commits and ban the accounts pushing them.

Sources

sonatype.comhttps://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency

thehackernews.comhttps://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer/

hackread.comhttps://hackread.com/atomic-arch-hijacks-linux-aur-packages-malware/

privacyguides.orghttps://www.privacyguides.org/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/

cybersecuritynews.comhttps://cybersecuritynews.com/arch-linux-aur-packages-compromised/

Related incidents

Supply chainContainedJune 5, 2026

Miasma worm hits 73 Microsoft GitHub repositories in supply-chain attack (2026)

A self-replicating supply-chain worm dubbed Miasma compromised 73 repositories across four Microsoft GitHub organisations, planting configuration files that harvested cloud and developer credentials when the projects were opened in AI coding agents such as Claude Code and Cursor.

Victim: Microsoft (GitHub repositories)

Supply chainContainedJune 4, 2026

IronWorm self-propagating malware hits 36 npm packages (2026)

Researchers disclosed IronWorm, a Rust-based, self-propagating infostealer that compromised 36 npm packages, stealing developer and CI secrets and republishing trojanized packages using stolen npm publishing credentials.

Victim: npm (Node Package Manager registry)

Supply chainContainedJuly 2, 2021

Kaseya VSA supply-chain ransomware (REvil)

REvil affiliates exploited a SQL injection zero-day in Kaseya's VSA remote-management platform to push ransomware to ~60 MSPs and through them to ~1,500 downstream organisations. The largest supply-chain ransomware attack on record.

Victim: Kaseya VSA customers (~60 MSPs, ~1,500 downstream organisations)
Loss: $200.0M

Supply chainContainedDecember 13, 2020

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim: SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss: $100.00B