400+ Arch Linux AUR Packages Hijacked in Atomic Arch Supply Chain Attack

In a sweeping supply chain attack dubbed Atomic Arch, threat actors compromised more than 400 packages in the Arch User Repository (AUR) between June 11 and June 12, rewriting build scripts to silently install a Rust-based infostealer on any machine that compiled them. Discovered by Sonatype, the campaign targeted orphaned projects, packages whose original maintainers had abandoned them, and adopted them under spoofed git commit metadata designed to mimic long-standing Arch Trusted Users. The official Arch repositories were not affected, but anyone who built or updated an AUR package during the attack window should audit their systems immediately. Confirmed malicious packages include alvr and premake-git, though researchers warn the full list is still expanding.

The attack vector was deceptively simple. Once a package was adopted, its PKGBUILD or .install script was modified to execute npm install atomic-lockfile@1.4.2 alongside legitimate dependencies for cover. That npm package contains a preinstall hook that drops and runs a bundled Linux ELF binary named deps. Independent researcher Whanos reverse-engineered the payload and identified it as a credential stealer targeting Chromium-based browser cookies, tokens, and local storage (Chrome, Edge, Brave), session data from Electron apps like Slack, Discord, and Microsoft Teams, and developer secrets including GitHub, npm, and HashiCorp Vault tokens, OpenAI/ChatGPT bearer tokens, SSH keys, Docker/Podman credentials, and VPN profiles. Anyone with exposed credentials in this breach should verify their exposure using a email breach checker and test the strength of reused passwords with a password checker.

Exfiltrated data is transmitted in plaintext over HTTP to temp.sh, while command-and-control traffic is routed through a Tor onion service via a local loopback proxy, a pattern that also makes the malware harder to detect with traditional SSL/TLS inspection. For persistence, the malware installs a systemd service with Restart=always, copying itself under /var/lib/ and writing a unit file to /etc/systemd/system/ when running as root, or dropping a per-user unit under ~/.config/systemd/user/ otherwise. When executed with root privileges, the payload also loads an eBPF rootkit to conceal its own processes, network sockets, and files from host-based detection tools. Defenders hunting for indicators of compromise should inspect outbound connections and verify their network's anonymity posture with a DNS leak test and a VPN/proxy detector.

This incident highlights a critical weakness in community-driven package ecosystems: trust without verification. No zero-day or software vulnerability was exploited; the attackers simply took over dead projects and let users compile the malware themselves. Organizations running Arch-based systems, including Manjaro and EndeavourOS, should cross-reference installed AUR packages against the published affected lists, rotate any secrets stored on potentially compromised build hosts, and audit systemd units for unauthorized persistence mechanisms. The Arch Linux team has since intervened to remove malicious maintainer accounts, but the rapid scale of adoption, more than 400 packages in under 48 hours, underscores how quickly supply chain trust can be weaponized when governance is absent.