Bottom line: Attackers from the Atomic Arch campaign infiltrate over 1,500 orphaned AUR packages with eBPF-based rootkits for credential theft, prompting Arch Linux to halt new account registrations.
The Arch Linux community is experiencing a coordinated supply chain attack involving more than 1,500 malicious packages in the Arch User Repository (AUR). Arch Linux has temporarily suspended new registrations for the repository in response.
The attackers systematically targeted orphaned or neglected PKGBUILD scripts in the Arch User Repository that would be automatically updated from existing installations. Between early June and June 11, 2026, 1,500 compromised packages were identified. According to Sonatype, the threat actors changed tactics on June 12: they initially modified NPM-based installation paths, then switched to Bun-based supply chains and uploaded entirely new malicious packages.
The injected malware disguises itself as a legitimate NPM package named “atomic-lockfile”. The malware uses eBPF (Extended Berkeley Packet Filter) to run with kernel privileges and establish persistent foothold in the system. Sonatype documented advanced rootkit functionality, including mechanisms to hide processes, files, and network activities as well as debugger detection. The malware focuses on extracting credentials: passwords, SSH artifacts, HashiCorp Vault tokens, browser cookies, and collaboration tool data stores are stolen and transmitted via HTTP to external servers.
StepSecurity warns of the malware’s persistence on compromised systems. The security firm recommends affected organizations perform a complete operating system reinstall: “On systems with elevated privileges, the malware can establish eBPF-based persistence mechanisms to hide process and file activities. This significantly complicates detection and removal. A compromised host must be considered completely untrustworthy.” Standard malware scans are insufficient; all exposed credentials must be reset.
Arch Linux is working to isolate and remove the malicious code changes from the repositories. The organization has temporarily halted new registrations in the AUR.
Source: www.it-daily.net · Published June 17, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.