Full Report
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate
Analysis Summary
# Incident Report: "Atomic Arch" AUR Supply Chain Attack
## Executive Summary
In June 2026, attackers hijacked over 400 packages in the Arch User Repository (AUR) by adopting orphaned projects and injecting malicious build scripts. The compromise functioned as a supply chain attack, deploying a Rust-based credential stealer and an optional eBPF rootkit on systems that built the affected packages. The primary goal was the theft of developer secrets, including cloud tokens, SSH keys, and browser credentials.
## Incident Details
- **Discovery Date:** June 11, 2026
- **Incident Date:** June 11–12, 2026
- **Affected Organization:** Arch User Repository (AUR) Community
- **Sector:** Technology / Software Development / Open Source
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing on or slightly before June 11, 2026.
- **Vector:** Exploitation of the AUR "orphan" system.
- **Details:** Attackers legally adopted abandoned (orphaned) packages. They modified the `PKGBUILD` or `.install` scripts to include a malicious dependency.
### Lateral Movement
- **Mechanism:** Not applicable in the traditional network sense; the attack moved from the AUR repository to local developer workstations and build environments via malicious package updates.
### Data Exfiltration/Impact
- **Details:** The malware targeted a wide array of secrets, including Chromium-based browser cookies, Slack/Discord sessions, GitHub/npm/Vault tokens, SSH keys, and Docker/VPN credentials. Data was exfiltrated to `temp[.]sh`.
### Detection & Response
- **Discovery:** Identified by security researchers (Sonatype and Whanos) and community members noticing suspicious activity in the AUR git mirror.
- **Response Actions:** Malicious npm packages were pulled; AUR Trusted Users began reverting/removing compromised packages; community trackers were established to list affected software.
## Attack Methodology
- **Initial Access:** Adoption of orphaned community packages and spoofing git commit metadata to appear legitimate.
- **Persistence:** Installation of systemd services (root-level in `/etc/systemd/system/` or user-level in `~/.config/systemd/user/`).
- **Privilege Escalation:** No specific exploit used; the malware relied on being executed by users with `sudo` or root privileges during the build process.
- **Defense Evasion:** Implementation of an eBPF rootkit (when root is available) to hide PIDs, socket inodes, and process names. It also prevents debugger attachments.
- **Credential Access:** Harvesting of local storage, tokens, and flat files from browsers and developer tools.
- **Discovery:** Local environment reconnaissance for cloud and container configuration files.
- **Collection:** Automated gathering of SSH keys, shell histories, and session tokens.
- **Exfiltration:** Data sent over HTTP to a temporary file-sharing service; C2 communication via Tor onion service.
- **Impact:** Potential installation of a Monero cryptominer tied to `monero-wallet-gui`.
## Impact Assessment
- **Financial:** Possible theft of cryptocurrency; secondary costs related to incident response and credential rotation.
- **Data Breach:** High volume of sensitive developer credentials, potentially leading to downstream supply chain compromises.
- **Operational:** Disruption to developer workflows and the need for full system reinstalls for affected users.
- **Reputational:** Erosion of trust in community-maintained repositories.
## Indicators of Compromise
- **Network Indicators:**
- Traffic to `temp[.]sh` (Exfiltration)
- Local loopback proxy traffic associated with Tor onion services (C2)
- **File Indicators:**
- Malicious npm package: `[email protected]`
- Binary payload: `deps` (Rust ELF)
- eBPF pinned maps: `hidden_pids`, `hidden_names`, `hidden_inodes`
- **Behavioral Indicators:**
- Unauthorized `systemd` unit creation with `Restart=always`.
- `npm install` commands triggered unexpectedly during a `makepkg` process.
## Response Actions
- **Containment:** Removal of the `atomic-lockfile` package from npm.
- **Eradication:** Deletion of hijacked packages from the AUR; rotation of all potentially compromised developer secrets (GitHub tokens, SSH keys, etc.).
- **Recovery:** Users who ran the malicious builds are advised that a wipe/reinstall is necessary due to the rootkit capability.
## Lessons Learned
- **Trust Model Risks:** Community repositories that allow easy adoption of orphaned packages are high-risk targets for supply chain attacks.
- **Rootkit Complexity:** The use of eBPF signifies an increase in the sophistication of "commodity" malware targeting Linux users.
- **Verification Gaps:** Spoofing git metadata remains an effective way to deceive users into trusting malicious commits.
## Recommendations
- **Pre-Build Auditing:** Users should inspect `PKGBUILD` scripts before running them, especially for projects with recent maintainer changes.
- **Repository Governance:** Implement stricter verification for adopting orphaned packages (e.g., waiting periods or mandatory review by Trusted Users).
- **Environment Isolation:** Use isolated build environments (containers or VMs) to prevent host-level credential theft and persistence.
- **Secret Management:** Utilize hardware security modules (HSM) or short-lived tokens to reduce the impact of local credential theft.