A large-scale supply chain attack has compromised more than 400 packages in the Arch User Repository (AUR), exposing Linux users to a sophisticated credential-stealing malware campaign that targets developer workstations, cloud credentials, and sensitive authentication data.
The campaign, dubbed “Atomic Arch” by security researchers, abused the trust model of the AUR by taking over abandoned packages and modifying their build scripts to silently install malware during package installation.
Notably, the attack did not compromise Arch Linux’s official repositories. Instead, it targeted the community-maintained AUR, where anyone can adopt orphaned packages whose original maintainers are no longer active.
Attackers Exploited Trust, Not Software Vulnerabilities
Unlike traditional cyberattacks that exploit software flaws or zero-day vulnerabilities, this campaign leveraged trust within the AUR ecosystem.
Attackers adopted abandoned packages, preserved their names and histories, and modified only the build instructions. As a result, users downloading what appeared to be legitimate software unknowingly executed malicious code during the package build process.
Researchers from Sonatype discovered that the attackers specifically targeted orphaned projects, allowing them to inherit the trust associated with long-established packages.
To further evade suspicion, the threat actors reportedly spoofed Git commit metadata to make the malicious changes appear as though they originated from legitimate maintainers.
How the Malicious Packages Worked
After gaining control of an AUR package, attackers modified the package’s PKGBUILD or .install scripts to execute:
npm install atomic-lockfile
The command downloaded a malicious npm package named atomic-lockfile@1.4.2, alongside legitimate dependencies to avoid detection.
The npm package contained a malicious preinstall hook that automatically executed a bundled Linux ELF binary named deps during installation.
Several compromised packages have already been confirmed, including:
- alvr
- premake-git
However, security researchers warn that the total number of affected packages continues to grow and may exceed 400.
Credential-Stealing Malware Targets Developers
Independent security researcher Whanos analyzed the malware payload and identified it as a Rust-based information stealer designed specifically for developer environments.
The malware collects a wide range of sensitive information, including:
Browser Data
- Cookies
- Authentication tokens
- Local storage data
Targeted browsers include:
- Google Chrome
- Microsoft Edge
- Brave
- Other Chromium-based browsers
Collaboration and Messaging Platforms
The malware extracts session data from popular Electron-based applications such as:
- Slack
- Discord
- Microsoft Teams
Developer and Cloud Credentials
Researchers found the malware targeting:
- GitHub access tokens
- npm credentials
- HashiCorp Vault tokens
- OpenAI and ChatGPT authentication data
- SSH keys
- known_hosts files
- Shell history files
- Docker credentials
- Podman credentials
- VPN configuration files
Collected data is exfiltrated through HTTP uploads to temporary file-sharing services, while command-and-control communications are routed through a Tor hidden service.
Persistence Mechanisms
To maintain access after infection, the malware installs itself as a systemd service configured with:
Restart=always
When executed with root privileges, the malware:
- Copies itself into
/var/lib/ - Creates a system-wide service under
/etc/systemd/system/
When run as a standard user, it:
- Stores files within the user’s home directory
- Creates a user-level systemd service in
~/.config/systemd/user/
This allows the malware to automatically restart whenever the system boots.
Optional eBPF Rootkit Adds Stealth Capabilities
Early reports suggested the malware always deployed an eBPF rootkit. Researchers later clarified that the rootkit component is optional and only activates when the malware already has root privileges.
The rootkit does not elevate privileges but instead helps conceal the malware by:
- Hiding malicious processes
- Concealing process names
- Obscuring network socket activity
- Blocking debugger attachment attempts
It achieves this using pinned BPF maps named:
- hidden_pids
- hidden_names
- hidden_inodes
The stealth capabilities make post-infection cleanup significantly more difficult.
Possible Cryptomining Component Identified
Researchers also discovered an additional binary associated with monero-wallet-gui that may function as a cryptocurrency miner.
While the component remains under investigation, analysts believe it could represent a secondary payload deployed alongside the credential stealer.
Second Wave of Malicious Packages Discovered
Following the initial discovery of packages using atomic-lockfile, researchers identified a second wave of compromised packages.
These packages executed:
bun install js-digest
The malicious package js-digest was linked to the same threat actor infrastructure and delivered a separate malware payload.
Community trackers believe both waves are part of the same coordinated campaign.
What Arch Linux Users Should Do Immediately
Arch maintainers have begun removing malicious commits, banning attacker-controlled accounts, and restoring affected packages.
However, users should assume the published package lists remain incomplete.
Check Your Systems
If you installed or updated any AUR package on or after June 11, review your package history and search for:
- atomic-lockfile
- js-digest
- src/hooks/deps
Rotate Compromised Credentials
If a malicious package was executed, immediately rotate:
- Browser sessions
- SSH keys
- GitHub tokens
- npm credentials
- Slack sessions
- Teams sessions
- Discord sessions
- Vault tokens
- Docker credentials
- Cloud access keys
Look for Persistence
Investigate systems for:
- Unknown systemd services
- Suspicious files in
/var/lib/ - Unauthorized user-level systemd units
- Unexpected Tor network activity
Reinstall If Root Access Was Granted
Security experts strongly recommend rebuilding affected systems from trusted installation media if the malicious package was executed with root privileges.
Because the malware can deploy an eBPF rootkit, it may be impossible to fully verify system integrity after infection.
A Growing Supply Chain Threat
The Atomic Arch campaign highlights a growing trend in software supply chain attacks where threat actors inherit trust by taking over abandoned projects instead of creating lookalike packages.
By exploiting orphaned software and trusted package histories, attackers can bypass traditional security awareness measures and reach large numbers of users without exploiting a single software vulnerability.
As investigations continue, security researchers urge Arch Linux users to carefully review PKGBUILD files, inspect installation scripts, and exercise caution when installing packages that have recently changed maintainers or become active after long periods of inactivity.
