Atomic Arch: AUR Package Supply Chain Compromise Using Malicious npm Package (Campaign)
ID: 2eb1be28-3a3e-540f-bc2b-97e153f6a96b
STIX ID: report--2eb1be28-3a3e-540f-bc2b-97e153f6a96b
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2026-06-12
Date Updated: 2026-07-02
Author: [email protected] (Wiz Threat Research)
Researchers disclosed "Atomic Arch," a supply-chain campaign in which an attacker adopted 400+ abandoned AUR packages and modified their PKGBUILD scripts to install a malicious npm package (atomic-lockfile). The package runs a Linux ELF credential stealer (exfiltrating browser/Electron data, developer and cloud secrets, tokens, SSH keys, container credentials, and Vault tokens), can deploy an eBPF rootkit when run as root, and persists via systemd; the malicious npm packages were removed and AUR packages reverted around June 10–12, 2026, but systems that executed the payload remain compromised.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
