{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreia5vkht5i4zgzloanltplz5aqezml26v2pcuftgjdev3cwqtjzwq4",
"uri": "at://did:plc:awj2q63kg2v3k5xwsjh2uoe3/app.bsky.feed.post/3mo4nonpms7r2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiff4kyne4hvgd2xlaberk5pf5hdedwmnaiigkntbaftpbxpkknkgi"
},
"mimeType": "image/jpeg",
"size": 142668
},
"description": "Researchers at Sonatype uncovered a massive supply chain attack against the Arch User Repository (AUR) to harvest credentials and exfiltrate user data by hijacking around 1,500 packages.",
"path": "/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/",
"publishedAt": "2026-06-12T21:10:44.000Z",
"site": "https://www.privacyguides.org",
"tags": [
"uncovered",
"AUR",
"CI/CD"
],
"textContent": "Researchers at Sonatype uncovered a massive supply chain attack against the Arch User Repository (AUR) to harvest credentials and exfiltrate user data by hijacking around 1,500 packages.\n\nThe attack, dubbed \"Atomic Arch\" by the researchers, is one of the largest attacks against the AUR of all time.\n\nThe AUR is a collection of unofficial packages made by the Arch Linux community. There's even a warning on the Arch wiki that packages have not been fully vetted and you use the packages at your own risk.\n\nThe campaign targeted packages that have been abandoned by their maintainers for one reason or another.\n\nThe attackers are abusing the process for community members to request ownership of orphaned packages.\n\n> In the Atomic Arch campaign, attackers appear to be exploiting this process to gain stewardship of trusted packages already used by the community. Attackers adopt orphaned AUR packages. The package keeps its existing name, history, and user trust, but control of its build instructions changes hands.\n\nCleverly, the attackers didn't modify the actual packages themselves, but instead modified the packages' build instructions, thus bypassing traditional methods of detecting malware.\n\nInstead, they modify the packages' PKGBUILD to add a post-install script that installs a malicious npm package called atomic-lockfile.\n\nThe researchers found that the package was hiding its activity to make it harder to identify, which includes looking through your directories and making network connections, including specific references to SSH keys, browser cookie databases, and data stores for spells like Discord, Slack, and Telegram.\n\nThese indicators strongly suggest credential stealing and data exfiltration.\n\nThe method of compromise is quite sneaky since users will just assume a new update is available for a trusted package and install it without thinking. The attackers essentially hijack the trust built up over the years by package maintainers and bypass the need to convince users to install something new.\n\n> Attackers are not building trust from scratch. They're acquiring projects that have already earned it. That dramatically reduces the warning signs developers normally rely on when evaluating software.\n\n2026 has seen a staggering number of supply chain attacks, normally attacking the CI/CD infrastructure of developers.\n\nThis attack leveraging a widely-used community repository highlights the risks involved in unofficial packages. Hopefully, Arch can harden the process for adopting orphaned packages to perhaps require more vetting.",
"title": "Around 1,500 AUR Packages Compromised with \"Rootkit-Like\" Malware",
"updatedAt": "2026-06-12T21:10:45.144Z"
}