The Arch User Repository (AUR) suspended new registrations Monday due to an ongoing supply chain attack flooding the repository with more than 1,500 malicious packages.Dubbed “Atomic Arch” by Sonatype, the attack began Thursday when attackers abused AUR’s stewardship process for adopting orphaned packages to claim ownership of abandoned, legitimate packages and modify them with malicious PKGBUILD post-install scripts.Like the axios attack, this script introduces a malicious dependency rather than modifying the package’s code itself, Sonatype said. In an initial wave affecting about 400 packages, this script executed an npm install command for a package called atomic-lockfile. Shortly afterward, the attackers switched tactics, instead using the Bun runtime to install packages called js-digest and lockfile-js, ultimately affecting a total of more than 1,500 AUR packages.The malicious dependencies act as loaders to retrieve a Rust-based infostealer targeting developer credentials and secrets such as GitHub and npm tokens, browser cookies and session tokens, SSH keys, Docker and Podman credentials, and session tokens for Slack, Discord and Telegram, according to StepSecurity.The attackers also deploy an eBPF-based rootkit likely used to help hide malicious processes, files and network activity from detection on affected Linux systems, according to Sonatype. The use of a Rust-based credential stealer and eBPF rootkit was also seen in a recent npm attack wave dubbed IronWorm, which was noted by JFrog researchers to bear similarities to Mini Shai-Hulud.AUR users continued to report new malicious package adoptions through Sunday and the Arch Linux maintainers encouraged users to review all PKGBUILD and install script changes when updating packages.Sonatype researchers noted that the campaign exploits users’ trust in existing legitimate packages, requiring greater scrutiny even when updating established packages.“As software ecosystems continue to rely on volunteer maintainers and community stewardship, ownership transitions may become an increasingly attractive target for attackers looking to compromise trusted distribution channels from the inside,” the Sonatype Security Research Team wrote.StepSecurity recommended any organization that uses Arch Linux to enumerate the Arch systems in their environments and review AUR installs and updates since early June 2025 for potential compromised packages. StepSecurity also recommended behavioral monitoring for unexpected package manager calls, unusual network activity during build steps, the creation of suspicious system units or eBPF objects, and anomalous connections to paste sites, file-sharing services or Tor.
Critical Infrastructure Security, Supply chain
AUR suspends new registrations as 1,500-plus malicious packages flood repository
(Credit: Claudio Bórquez – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds