Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware
ID: 11a86a87-eeb9-5cc5-9b47-16c191260a4a
STIX ID: report--11a86a87-eeb9-5cc5-9b47-16c191260a4a
Feed Name: HackRead
Sonatype researchers uncovered the "Atomic Arch" supply-chain campaign targeting the Arch User Repository (AUR): attackers claim abandoned packages, alter PKGBUILD build scripts to run a malicious npm dependency (atomic-lockfile), and deliver a native Linux binary that uses eBPF to hide, gain persistence, and exfiltrate credentials (GitHub keys, SSH, Vault tokens, browser cookies, and messaging app data). Over 20 AUR packages are reported compromised, the malware is tracked as Sonatype-2026-003775 (CVSS 8.7), and simple removal of the visible package may not remediate systems once the second‑stage payload is active.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
