[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1iC-LCvgsIJcEThpR0D8ygcD6f3PiXyaxZ6xEHSyQLY":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":33},"c3fe79f0-a754-4c45-b111-40104a8d6164","Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages","atomic-arch-supply-chain-attack-hits-1-500-aur-packages-b91ed3","Arch Linux suspended account registrations in response to the wave of malicious packages being uploaded to AUR. The post Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages appeared first on SecurityWeek.","Arch Linux has suspended new account registrations for its User Repository (AUR) following a supply chain attack named Atomic Arch. Attackers modified abandoned AUR packages to execute malicious code during installation, initially targeting NPM packages and later shifting to Bun-based installations. The campaign has led to over 1,500 malicious packages being published, with the malware designed for credential and secret harvesting.","Arch Linux suspends AUR account registrations due to a supply chain attack impacting over 1,500 packages.","Arch Linux on Monday announced that it has suspended new account registrations on the Arch User Repository (AUR) in response to a wave of malicious packages being published as part of an ongoing supply chain attack. A community-driven repository, AUR enables Arch Linux users to share build scripts (PKGBUILDs) for software not in the official repositories, which can be cloned to build native packages locally. The supply chain campaign, tracked by the cybersecurity community as Atomic Arch, started last week, with more than 1,500 malicious packages published by June 11. “We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed,” Arch Linux said on Friday. On Monday, Arch Linux suspended AUR signups for cleanup purposes. According to Sonatype, the campaign started with abandoned packages in AUR, which were modified to execute a malicious NPM package during installation. By June 12, the attackers switched to Bun-based installation paths and also started pushing new malicious packages. By targeting orphaned packages that had a history of legitimate use, the attackers ensured the attack’s blast radius was large.Advertisement. Scroll to continue reading. Similar to the modus operandi observed in the Axios supply chain attack, the hackers modified the packages’ PKGBUILD to introduce malicious behavior masquerading as the NPM package atomic-lockfile. The Linux executable that runs during package installation as part of an Atomic Arch attack references eBPF (extended Berkeley Packet Filter), the technology that allows programs to run inside the Linux kernel with elevated privileges, likely for persistence purposes. Sonatype also observed functionality related to process, file, and network hiding; Linux socket diagnostic interfaces; debugger detection; and HTTP upload functionality. The rootkit-like malware also references credentials, SSH artifacts, HashiCorp Vault tokens, browser cookies, and data stores from popular collaboration applications, suggesting it was designed for credential and secret harvesting and exfiltration. “On systems where it runs with elevated privileges, the malware can also attempt eBPF-based persistence to hide processes and file activity, making detection and cleanup significantly harder. A compromised host should be treated as fully untrusted: rebuild from clean media and rotate all exposed credentials. A one-off malware scan is not sufficient,” StepSecurity notes. Related: NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks Related: Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks Related: Supply Chain Attack Hits 32 Red Hat NPM Packages Related: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Ukrainian Man Pleads Guilty in US to Conti Ransomware ChargesShinyHunters Claims Council of Europe HackFBI, Google Dismantle ‘Outsider Enterprise’ Phishing ServiceNPM 12 Will Change Script Execution Behavior to Prevent Supply Chain AttacksIranian Cyber Group Handala Claims Cal Water HackIvanti Sentry Exploitation Attempts Hitting HoneypotsChrome 149 Update Patches 28 VulnerabilitiesCISA Directs Federal Agencies to Prioritize Security Patches Based on Risk Latest News Cal Water Investigating Iranian Hackers’ ClaimsWhite House Issues Memo to Bolster NSS CybersecurityCybersecurity Executives Urge the Trump Administration to Ease Restrictions on Anthropic AI ModelsTech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of DisclosureCisco Patches Another SD-WAN Zero-Day Exploited in AttacksRansomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar ProducerChinese Hackers Target Medical, Military, and AI Research in North AmericaNewCore Emerges From Stealth Mode With $66 Million in Funding Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveStephen Garcia has been named Chief Information Security Officer at BreachRx.Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.Chaim Mazal has been named Chief Information Security Officer at GitLab.More People On The MoveExpert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fatomic-arch-supply-chain-attack-hits-1500-aur-packages\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fsupply-chain-threat.webp","2026-06-16T10:51:49+00:00","2026-06-16T12:00:07.03283+00:00",8,[18,21,24,26],{"name":19,"type":20},"AUR","product",{"name":22,"type":23},"NPM","technology",{"name":25,"type":23},"Bun",{"name":27,"type":23},"eBPF","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":28,"icon":30,"name":31,"slug":32},null,"Supply Chain","supply-chain",[34,36,41,46],{"category":35},{"id":28,"icon":30,"name":31,"slug":32},{"category":37},{"id":38,"icon":30,"name":39,"slug":40},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":42},{"id":43,"icon":30,"name":44,"slug":45},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":47},{"id":48,"icon":30,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52],{"type":40,"value":53,"context":54},"atomic-lockfile","Malicious NPM package name used in the attack."]