Over 400 Arch Linux AUR Packages Compromised in 'Atomic Arch' Supply Chain Attack Deploying Infostealers
Attackers hijacked over 400 orphaned Arch User Repository packages in the 'Atomic Arch' campaign, injecting malicious npm packages that deploy infostealers targeting browser credentials, SSH keys, and cryptocurrency wallets.
A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems. The campaign, dubbed "Atomic Arch" by researchers, was identified around June 11, 2026, and represents one of the most wide-scale AUR incidents on record.
The threat actors systematically targeted orphaned AUR packages — legitimate projects that have been abandoned by their original maintainers — and claimed ownership of them through AUR's standard adoption process. Once in control, attackers modified the packages' PKGBUILD scripts, which are the build instruction files that AUR helpers like yay and paru execute during installation. The malicious PKGBUILDs were altered to silently fetch and install two rogue npm packages: atomic-lockfile and js-digest. These packages acted as the primary malware delivery mechanism, executing during the standard package build process without triggering obvious warnings to end users.
Once installed, the malicious npm packages deployed a multi-stage infostealer payload engineered to exfiltrate a broad range of sensitive data, including browser credentials (saved passwords, session cookies, and autofill data from Chromium and Firefox-based browsers), SSH private keys, system environment variables (potentially exposing API tokens, cloud credentials, and application secrets), and cryptocurrency wallet data (targeting local wallet files and seed phrases). Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop. This tactic makes post-infection identification significantly harder without dedicated forensic tooling.
The Arch Linux security team responded rapidly once the compromise was surfaced on the AUR mailing list. Maintainers reverted malicious PKGBUILD commits, permanently banned the offending attacker accounts, and published a detailed checklist of affected packages for the community. Critically, Arch's official repositories (core, extra, multilib) remained unaffected, as those are subject to stricter review processes.
Users who regularly install AUR packages should take immediate steps: run pacman -Qm to list all foreign (AUR) packages installed on their system and cross-reference against the published list of compromised packages; audit recent PKGBUILD history for any packages installed between June 10–12, 2026; rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed; scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit; and consider using AUR helpers with PKGBUILD review prompts enabled by default.
This incident echoes a growing trend of supply chain attacks targeting package repositories across ecosystems. Researchers at Sonatype specifically characterized the Atomic Arch campaign as a deliberate strategy of targeting orphaned, trusted packages with existing install bases, maximizing victim reach while minimizing scrutiny. The AUR's community-trust model, while a strength for package availability, continues to present a systemic risk that individual vigilance cannot fully mitigate without structural policy changes around orphan package adoption.