At a glance: Attacks on orphaned AUR packages using forged Git metadata deliver spyware that installs an invisible kernel rootkit with root privileges.
Attackers have taken over more than 400 community packages in the Arch User Repository (AUR) of Arch Linux and planted malicious code. The campaign “Atomic Arch” (Sonatype-2026-003775, CVSS 8.7) targets theft of developer data and installation of an eBPF rootkit.
Security researchers at Sonatype have discovered an attack on the Arch User Repository in which perpetrators deliberately took over packages whose original developers had stopped maintaining. The manipulated Git commit metadata was forged to make changes appear as legitimate updates from long-time maintainers. The manipulations to installation scripts (PKGBUILD and .install files) began on June 11, 2026. The official Arch Linux repositories were not affected.
The attack vector exploits commands in two waves: npm install atomic-lockfile 1.4.2 and bun install js-digest, each downloading a malicious Linux script named “deps” as an executable binary. Affected packages include alvr and premake-git. The malware, written in Rust, focuses on stealing credentials from developer and build environments: it extracts cookies, tokens, and memory data from Chromium browsers (Chrome, Edge, Brave), session data from Electron apps (Slack, Discord, Teams), authentication tokens from GitHub, npm, HashiCorp Vault and OpenAI, as well as SSH keys, shell command history, and VPN profiles. Stolen data is sent via HTTP to temp.sh, while command communication occurs through Tor hidden services.
If the package was installed with root privileges, the malware copies itself to /var/lib/ and creates a system unit under /etc/systemd/system/ to persist permanently as a systemd service with restart directive. Critical is the additional installation of an eBPF rootkit that hides processes, process names, and socket inodes from standard monitoring tools. The rootkit uses BPF maps anchored in the kernel (hidden_pids, hidden_names, hidden_inodes) and actively blocks debugger attachment. When executed without root privileges, the malware nests itself in the home directory.
For CISOs, kernel infiltration is critical: simply deleting affected packages is insufficient. Systems that installed the package with administrative rights require a complete operating system reinstall from trusted media. Under normal user privileges, changes in the home directory can be addressed, but the system unit must be manually removed. Recommended immediate actions: audit package installations in AUR from June 11, 2026 onward, check for suspicious systemd units, rotate all authentication tokens (GitHub, npm, Vault, OpenAI) and SSH keys, and analyze logs for exfiltration to temp.sh.
Source: www.it-daily.net · Published June 17, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.