Atomic Arch buries an eBPF rootkit inside 1,500 AUR packages
Around June 11, 2026 a campaign that Sonatype has named Atomic Arch began quietly claiming abandoned packages in the Arch User Repository through the same orphan adoption flow that legitimate maintainers use every day, and within roughly forty eight hours the attackers had pushed PKGBUILD modifications into a wave that started near 400 packages and crossed 1,500 compromised packages by the following day, with every modified build script reaching out at install time for a malicious npm dependency called atomic-lockfile that bundled an eBPF-based Linux rootkit alongside a stealer aimed at credentials, SSH keys, and access tokens (Sonatype, SecurityWeek). The Arch Linux security team suspended new AUR account registrations while it audited the repository, and the community started maintaining a list of confirmed compromises at github.com/lenucksi/aur-malware-check, which is the cleanest source of truth defenders have today for the affected package set (Cybersecurity News).
What turned this from another typo-squatting incident into a 1,500 package event was the choice of intake. Atomic Arch never had to phish a maintainer credential or subvert a CI pipeline, because AUR ships with a documented workflow that lets any registered user adopt a package whose maintainer has formally walked away, and the campaign treated that workflow like a queue. Attackers swept the orphan list, took ownership through ordinary requests, then committed PKGBUILD changes that resolved an additional dependency at install time, and that dependency was where atomic-lockfile actually lived. Downstream distributions that pull from AUR or share its maintainer base, including Manjaro, EndeavourOS, and Garuda, inherit the same exposure for any user who reached for an affected name between June 10 and June 13 (StepSecurity).
Why this class of compromise slips through a normal queue
A traditional vulnerability management program watches CVE feeds, KEV listings, and vendor advisories, which is the wrong sensor array for this attack because Atomic Arch never produced a CVE and never modified a binary a network scanner could match a signature against. The poisoned packages were rebuilt locally from source on the developer or CI host that asked for them, so the artifact running on disk was unique to each install and the only constant signal was the PKGBUILD's reach for the malicious npm dependency at fetch time. Most teams that run Arch or Arch-derived workstations and build agents do not even feed AUR consumption into the same inventory they use for OS packages, because pacman tracks the official repositories cleanly while AUR sits in the developer's shell history.
Payload behavior plays straight to the same blind spot. Once the install resolves the atomic-lockfile dependency, the package drops an eBPF-based rootkit into the kernel, and an eBPF program loaded at that level can hide processes, mask network sockets, and selectively rewrite syscall results in ways that endpoint agents written against a user-space view of the system simply do not see, because the rootkit is operating inside the same kernel facility those agents depend on for telemetry (Sonatype). On the stealer side, the payload reads the artifacts any working developer keeps on a build host, namely the SSH key set, the cloud and registry tokens the shell environment exports, and whatever access cookies the user has cached for AUR itself, so the campaign quietly seeds a second round of adoption traffic from the very accounts whose hosts it already owns (SecurityWeek).
Prioritizing with TRIS
A raw CVSS triage cannot rank this event because there is no CVE to rank, so the queue that decides what gets handled today has to be driven by something other than vendor scoring. TRIS, the multi-layer Threat and Risk Intelligence Scoring built into CVEasy AI, weights the three signals that decide whether a finding deserves the top of your queue inside your environment, and Atomic Arch lights up on every one of them.
- Active exploitation. The campaign is running live in the AUR, the rootkit and stealer are already on victim hosts that pulled affected packages, and the community list at github.com/lenucksi/aur-malware-check continues to grow as the security team works through the audit, which TRIS treats as confirmed in-the-wild abuse rather than a theoretical proof of concept (Cybersecurity News).
- Blast radius. A single malicious dependency is reachable from more than 1,500 AUR packages, and the affected user base spans Arch plus every downstream distribution that consumes AUR or shares its maintainer pool, with developer workstations and CI pipelines the most exposed because both install AUR packages non-interactively under accounts that hold privileged credentials for the rest of the build chain (StepSecurity).
- Real exposure. TRIS narrows the alert to hosts in your environment that actually run Arch or an Arch derivative and that touched AUR between June 10 and June 13, then enriches the queue with the specific package names from the community list, which collapses the response to the hosts that need an immediate rotation of every credential and key that ever lived on them.
Remediation steps
- Pull a fresh copy of the community compromise list at github.com/lenucksi/aur-malware-check, diff it against the AUR packages installed on every Arch and Arch-derived host, including build agents and developer workstations, and remove atomic-lockfile plus any confirmed compromised package on every match (Sonatype).
- Run the Arch Linux security team's rootkit scanner for the eBPF artifacts the atomic-lockfile payload installs, and treat any positive as fully compromised, which in practice means a reimage rather than a clean attempt, since an eBPF rootkit that can hide processes and mask syscalls can also hide whatever cleanup tool you point at it.
- Rotate every credential, SSH key, cloud and registry token, and AUR account password that ever lived on a confirmed or suspected host, because the stealer reads exactly those artifacts and the campaign uses captured AUR accounts to extend its access into the next round of orphan adoptions (SecurityWeek).
- Hold off on new AUR installs across developer and CI hosts until the Arch security team lifts the new account suspension and publishes its audit summary, since the orphan adoption vector is still the campaign's entry point (Cybersecurity News).
- Add AUR consumption to whatever inventory your CTEM or build governance pipeline already feeds, so the next campaign of this shape lands in the same queue as your OS packages and not in a developer's shell history.
How CVEasy AI surfaces this
When a community supply-chain event of this shape lands without a CVE attached, CVEasy AI ingests the Sonatype writeup, the community reporting, and the live compromise list at github.com/lenucksi/aur-malware-check within minutes, then runs the combined picture through TRIS against the AUR consumption inventory that lives entirely on your own hardware. The platform answers the questions that decide the next forty eight hours, namely which Arch and Arch-derived hosts touched AUR between June 10 and June 13, which installed a package on the community list, which still carry an atomic-lockfile artifact on disk, and which credentials need a rotation before the captured AUR accounts get reused upstream. As the number one local-first CTEM platform, CVEasy AI keeps that picture on your side of the wire and feeds the BASzy attack validation module a clean target list so the team can prove the removal and rotation work landed before the next wave of adoptions starts.
References
- Sonatype on the Atomic Arch npm campaign and atomic-lockfile
- SecurityWeek on the 1,500 package AUR supply chain attack
- Cybersecurity News on the AUR compromise and account suspension
- Latest Hacking News on the AUR supply chain attack
- StepSecurity on the first wave of 400 hijacked AUR packages
- Community AUR malware check list and detection tooling