Arch Linux AUR Supply Chain Attack Deploys Infostealers

A massive supply chain attack has compromised over 400 community-maintained packages within the Arch User Repository (AUR). Attackers injected malicious build scripts into these packages, designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.

The campaign, dubbed “Atomic Arch” by researchers, was identified around June 11, 2026, and represents one of the most wide-scale AUR incidents on record.

The threat actors systematically targeted orphaned AUR packages legitimate projects that have been abandoned by their original maintainers and claimed ownership of them through AUR’s standard adoption process.

Once in control, attackers modified the packages’ PKGBUILD scripts, which are the build instruction files that AUR helpers like yay and paru execute during installation.

The malicious PKGBUILDs were altered to silently fetch and install two rogue npm packages: atomic-lockfile and js-digest. These packages acted as the primary malware delivery mechanism, executing during the standard package build process without triggering obvious warnings to end users.

AUR Packages Compromised With Infostealers

Once installed, the malicious npm packages deployed a multi-stage infostealer payload engineered to exfiltrate a broad range of sensitive data, including:

• Browser credentials — saved passwords, session cookies, and autofill data from Chromium and Firefox-based browsers.
• SSH private keys — enabling attackers to pivot to remote servers and infrastructure
• System environment variables — potentially exposing API tokens, cloud credentials, and application secrets
• Cryptocurrency wallet data — targeting local wallet files and seed phrases.

Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop. This tactic makes post-infection identification significantly harder without dedicated forensic tooling.

The Arch Linux security team responded rapidly once the compromise was surfaced on the AUR mailing list. Maintainers reverted malicious PKGBUILD commits, permanently banned the offending attacker accounts, and published a detailed checklist of affected packages for the community. Critically, Arch’s official repositories ([core], [extra], [multilib]) remained unaffected, as those are subject to stricter review processes.

Users who regularly install AUR packages should take the following steps immediately:

1. Run pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packages
2. Audit recent PKGBUILD history for any packages installed between June 10–12, 2026
3. Rotate all credentials — browser passwords, SSH keys, API tokens, and cloud access keys — if any flagged package was installed
4. Scan for suspicious processes masquerading as kernel threads using tools like rkhunter or chkrootkit
5. Consider using AUR helpers with PKGBUILD review prompts enabled by default.

This incident echoes a growing trend of supply chain attacks targeting package repositories across ecosystems. Researchers at Sonatype specifically characterized the Atomic Arch campaign as a deliberate strategy of targeting orphaned, trusted packages with existing install bases, maximizing victim reach while minimizing scrutiny.

The AUR’s community-trust model, while a strength for package availability, continues to present a systemic risk that individual vigilance cannot fully mitigate without structural policy changes around orphan package adoption.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.