Atomic Arch: When Attackers Steal Your Trust, Not Your Passwords

The Arch User Repository has always operated on a simple premise: if you trust the maintainer, you trust the package. That assumption has been quietly broken by what researchers are calling "Atomic Arch," one of the largest AUR supply chain attacks to date. Starting around June 11, threat actors began hijacking hundreds of orphaned packages — abandoned projects whose maintainers had simply stopped showing up — and modifying their PKGBUILD files to install a malicious npm package called atomic-lockfile during installation. Sonatype estimates the campaign may now affect as many as 1,500 packages across multiple waves.

The trick isn't in the package itself but in what it pulls in. The PKGBUILDs were modified to run a post-install script that invokes npm install atomic-lockfile, and that npm package bundles a native Linux ELF binary with two main payloads. The first is an eBPF rootkit that hooks getdents64() to hide processes, files, and network interfaces from the user. The second is a credential harvester designed specifically for developer workstations: it digests browser cookies, SSH keys, HashiCorp Vault tokens, GitHub credentials, and data from Slack, Discord, Microsoft Teams, and Telegram. The binary also supports archive packaging and HTTP uploads, meaning it can exfiltrate everything to a remote server. A second wave introduced Bun as an alternate installation path, and some variants installed a different malicious package called js-digest instead.

Source article image
Source image 1

The real lesson here isn't that AUR packages can carry malware — Chaos RAT did that in 2025 — but that the attack vector exploits a structural feature of open-source stewardship. Attackers don't need to create trust from scratch; they inherit it. When you install an AUR package that's been maintained for years, you're trusting a name, a commit history, a reputation. Atomic Arch takes all of that and swaps the maintainer behind it. The package looks identical. The name hasn't changed. But the build script now does something unexpected: it reaches out to npm, grabs a dependency you didn't ask for, and installs a compiled binary into your system. Sonatype flagged this one as CVSS 8.7, and that number makes sense when you consider what it can pull off a freshly installed developer workstation. The eBPF rootkit hides processes at

Source article image
Source image 2
the kernel level, the infostealer grabs credentials from at least eight different services, and the exfiltration path routes through temporary servers and Tor. If you're an Arch user who installed any of the affected packages in the last 48 hours, removing the package alone may not be enough — the second-stage payload already ran.

Sources

Comments

Post a Comment

Popular posts from this blog

AI Is Starting to Feel Less Like a Gadget and More Like Infrastructure

Image
Modern AI doesn't replace infrastructure — it runs on top of it. (Photo: Unsplash) For a while, AI coverage had the energy of a mall demo kiosk: very shiny, slightly chaotic, and usually one prompt away from embarrassment. Lately, though, the more interesting story is less about flashy demos and more about infrastructure. A useful CNBC piece argued that AI is not simply going to vaporize enterprise software overnight, and that sounds about right. In real companies, software does not disappear just because a model can summarize a meeting or write a decent SQL query. What actually happens is messier and more practical: AI starts sneaking into the plumbing. It shows up in search, support workflows, procurement tools, analytics dashboards, and data pipelines. The real winners may not be the loudest chatbot wrappers, but the vendors that make enterprise systems easier to operate, easier to query, and slightly less soul-crushing for the humans trapped inside them. That is less cinematic ...
Read more

When Two AI Bots Finally Learned to Talk in Discord

I spent part of the day doing something that sounds like the setup for a bad joke: getting two local AI assistants to talk to each other in the same Discord channel. Not through a web UI. Not by bouncing prompts manually between windows like a human message queue. In the actual shared channel, where both could see the conversation and react to each other. The funny part is that the problem was not intelligence. It was manners. Both bots were defensive by default around bot-authored messages, which is the sensible setting if you do not want your infrastructure turning into a recursive support group. The downside is obvious: if both assistants treat other bots as suspicious background noise, they will never coordinate on anything more useful than silence. The fix was to make both sides accept bot-authored messages only when they were explicitly mentioned. That detail matters more than it sounds. Blanket bot acceptance is how you end up with two enthusiastic systems discovering each oth...
Read more

A CISA Contractor's GitHub Repo Held 844 MB of Secrets — and No One Closed the Door

Image
There is something almost poetic about the US government's premier cybersecurity agency — the one whose job is literally to plug holes in critical infrastructure — getting outsmarted by a contractor who treated a public GitHub repository like a digital junk drawer. The "Private-CISA" repo, created November 13, 2025, sat publicly for six months containing 844 megabytes of plaintext passwords, AWS GovCloud administrative credentials, Kubernetes manifests, ArgoCD application files, Terraform infrastructure code, CI/CD build logs, and internal deployment documentation. Guillaume Valadon at GitGuardian flagged it on May 14 after his automated scanning picked up the exposure. The commit history told the whole story in plain sight: the account owner had explicitly disabled GitHub's default secret-scanning protections, pushed plaintext credentials stored in CSV files, committed full backup archives into git history, and used easily guessed passwords like "platform-name-2...
Read more