An AUR supply chain attack backdoored more than 400 Arch Linux packages starting 11 June 2026, dropping a Rust-based credential stealer and an eBPF rootkit on any system that built a compromised package. Sonatype, which named the campaign Atomic Arch, counted 408 affected packages in the first wave. By 12 June a second wave pushed the total to more than 1,500 compromised packages according to PrivacyGuides. The campaign carries CVSS 8.7 (Sonatype-2026-003775). No CVE has been issued. Official Arch Linux repositories were not affected.
How the Attack Was Staged
The Arch User Repository lets community members adopt orphaned packages: legitimate projects abandoned by their original maintainers. That process is the entry point for this AUR supply chain attack. Threat actors requested ownership of established but unmaintained packages through AUR’s normal adoption workflow. Once in control, they modified the PKGBUILD files those packages use to build software.
The injected change is a single line: npm install atomic-lockfile minimalist chalk, added to post-install hooks. Sonatype engineer Eyad Hasan first spotted the campaign on 11 June. The attackers also forged commit metadata to impersonate a known AUR maintainer, “arojas”. This gave tampered commits a veneer of legitimacy to anyone who checked the history.
“Attackers are not building trust from scratch,” Sonatype researchers wrote. “They’re acquiring projects that have already earned it.” Confirmed compromised packages include alvr and premake-git.
The npm Package and Rust Payload
The malicious package, atomic-lockfile v1.4.2 (SHA-256: 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b), holds a preinstall hook that executes a Linux ELF binary named deps from ./src/hooks/deps. Independent researcher Whanos reverse-engineered the binary. It is written in Rust.
The stealer collects a broad set of credentials and session data:
- Browser cookies, tokens, and local storage from Chrome, Edge, and Brave
- Electron app sessions for Slack, Discord, Teams, and Telegram
- SSH private keys and shell history
- GitHub, npm, and HashiCorp Vault tokens
- OpenAI and ChatGPT API keys
- Docker and Podman configurations, VPN profiles, and cloud provider keys
Exfiltration runs via HTTP multipart POST to temp.sh, a public file-sharing service. Command-and-control uses a Tor onion service. On 12 June a second wave appeared, swapping the npm delivery for bun install js-digest in some packages. The operator is iterating on delivery methods, which suggests an ongoing campaign rather than a one-shot hit.
An eBPF Rootkit for Root-Level Hosts
When deps runs with root privileges, it loads an eBPF program compiled from scales.bpf.c. The program hooks the getdents64() system call and pins three BPF maps into /sys/fs/bpf/: hidden_pids, hidden_names, and hidden_inodes. These maps tell the hook to filter out specific process IDs, filenames, and inodes from any user-space tool that calls getdents64. As a result, ls, ps, and find all return clean output while the malware runs.
The binary also checks for attached debuggers via PTRACE before executing, which complicates live analysis. On a root-compromised host, standard inspection tools may show nothing unusual even while the rootkit is active.
Persistence
Regardless of privilege level, the payload installs a systemd service set to Restart=always. Root compromises write it to /etc/systemd/system/; user-level infections use ~/.config/systemd/user/. The service survives a reboot in both cases.
The eBPF rootkit intercepts directory-listing calls. Running ls /etc/systemd/system/ on an infected machine may still return nothing suspicious even when the service file is present.
Responding to the AUR Supply Chain Attack
Arch Linux maintainer Jonathan Grotelüschen urged users to report any compromised package they find. Community contributor lenucksi has published automated detection scripts at github.com/lenucksi/aur-malware-check.
Manual checks to run immediately:
- Search pacman build logs for packages installed or updated after 11 June 2026.
- Look for
atomic-lockfile,js-digest, orsrc/hooks/depsin build output. - Run
ls /sys/fs/bpf/and check for unfamiliar BPF map names. - Inspect
/etc/systemd/system/and~/.config/systemd/user/for unexpected services.
If a flagged package ran on your machine, treat the host as compromised. Removing the package is not enough, because the stealer will have executed before you can uninstall it. Rotate SSH keys, GitHub and npm tokens, Vault secrets, browser-stored credentials, and service tokens for Slack, Discord, and Teams. If the build ran as root, assume the eBPF rootkit is present. Sonatype advises reinstalling Arch from trusted media in that case.
This is not the first AUR supply chain attack of this type. A similar technique compromised an abandoned PDF viewer in 2018. More recently, the 3CX incident showed how a single compromised dependency can cascade across stages. The 2026 Atomic Arch version adds a rootkit and active operator maintenance on top of that. Any AUR package recently adopted from orphan status carries higher risk. The maintainer community cannot audit the full adoption history at scale, so this AUR supply chain attack problem will not disappear quickly.
