Attackers compromised more than 400 Arch User Repository packages and altered their build scripts to deliver the Atomic Arch credential stealer during package builds. The campaign also used the malicious npm package atomic-lockfile and a second wave involving js-digest, with some payloads able to install an optional eBPF rootkit and persistence mechanisms. #AtomicArch #atomic-lockfile #js-digest
Keypoints
- Over 400 AUR packages were hijacked by modifying build scripts, not by exploiting a software flaw.
- The main payload is a Rust credential stealer that targets developer secrets, browser data, SSH keys, and cloud tokens.
- The malware can also set up systemd persistence and optionally load an eBPF rootkit when it has root access.
- Confirmed packages include alvr and premake-git, and the attack chain involved atomic-lockfile and js-digest.
- Users who built affected packages after June 11 should assume compromise, rotate secrets, and reinstall if root execution occurred.
Read More: https://thehackernews.com/2026/06/400-arch-linux-aur-packages-hijacked-to.html