"Atomic Arch" supply-chain attack hijacks 400+ AUR packages to drop a credential stealer and eBPF rootkit
From CTI Daily Brief — 2026-06-13 · published 2026-06-13 · view item permalink →
Attackers adopted roughly 400 orphaned Arch User Repository (AUR) packages through the AUR's standard disowned-package adoption mechanism, then rewrote their PKGBUILD build scripts to pull a malicious npm dependency, atomic-lockfile, during build (Sonatype, 2026-06-11). On any machine that builds an affected package, the dependency fetches a Rust-compiled Linux ELF that harvests developer secrets — browser profiles, SSH keys, GitHub/npm/cloud and AI-service tokens, messaging session data, shell histories, Docker and VPN credentials. When it runs with root or CAP_BPF/CAP_SYS_ADMIN, an embedded eBPF component pins maps at /sys/fs/bpf/hidden_pids, /sys/fs/bpf/hidden_names and /sys/fs/bpf/hidden_inodes to hide its processes, files and socket inodes from ps, ls, netstat and live-response tooling (ioctl.fail, 2026-06-11). A second wave on 12 June added js-digest/lockfile-js delivery packages and a Bun-based path; Sonatype tracks it as Sonatype-2026-003775 (CVSS 8.7) and estimates the campaign may reach ~1,500 packages (BleepingComputer, 2026-06-12). Maps to T1195.002 (Compromise Software Supply Chain) and T1059 (Command and Scripting Interpreter via PKGBUILD).
Why it matters to us: Developer workstations and CI runners that build AUR packages are the blast radius. Hunt for npm install/bun install spawned from makepkg (Sysmon for Linux EID 1, parent-image filter), enumerate ls /sys/fs/bpf/hidden_* across Linux developer hosts, and restrict AUR-helper use on privilege-holding CI runners.