Full Report
Researchers have disclosed a software supply chain attack, dubbed "Atomic Arch," targeting orphaned packages in the Arch User Repository (AUR). Using newly created AUR accounts, an attacker adopted more than 400 abandoned packages through the legitimate maintainer-handoff mech...
Analysis Summary
# Incident Report: Atomic Arch Supply Chain Compromise
## Executive Summary
The "Atomic Arch" campaign was a sophisticated software supply chain attack that compromised over 400 orphaned packages in the Arch User Repository (AUR). The attacker leveraged legitimate maintainer-handoff mechanisms to inject a malicious npm dependency, `atomic-lockfile`, into package build scripts. The resulting malware functioned as a credential stealer and eBPF-based rootkit, specifically targeting developer environments, CI/CD runners, and cloud credentials.
## Incident Details
- **Discovery Date:** June 12, 2026
- **Incident Date:** June 10 – June 12, 2026
- **Affected Organization:** Users of Arch User Repository (AUR) and npm
- **Sector:** Software Development / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately June 10, 2026
- **Vector:** Supply Chain Compromise (Reputation/Trust Exploitation)
- **Details:** The attacker created new AUR accounts and utilized the legitimate "maintainer-handoff" mechanism to adopt 400+ abandoned/orphaned packages.
### Lateral Movement
- **Mechanism:** The attacker modified `PKGBUILD` scripts to include an `npm install atomic-lockfile` command. While the original software remained untouched, the build process pulled malicious dependencies from the public npm registry.
### Data Exfiltration/Impact
- **Impact:** The malware targets Linux environments to harvest sensitive data including:
- Browser/Electron data (Cookies, Slack, Teams, Discord).
- Developer tokens (GitHub, npm).
- Infrastructure secrets (SSH keys, Docker/Podman credentials, HashiCorp Vault tokens).
- **C2/Exfiltration:** Data sent to `temp[.]sh` and a Tor onion service.
### Detection & Response
- **Discovery:** Researchers identified the anomalous package adoptions and the malicious npm dependency.
- **Response Actions:** Malicious npm packages (`atomic-lockfile`, `js-digest`) were removed; affected AUR packages were reverted by maintainers.
## Attack Methodology
- **Initial Access:** Adoption of orphaned AUR packages; publishing trojanized npm packages.
- **Persistence:** Deploys `systemd` service units.
- **Privilege Escalation:** Exploits root execution (if available) to deploy advanced kits.
- **Defense Evasion:** Use of eBPF-based rootkit to hide processes, files, and network sockets; camouflaging malicious installs among legitimate packages (e.g., `axios`, `chalk`).
- **Credential Access:** Automated harvesting of cloud, CI/CD, and communication platform tokens/secrets.
- **Discovery:** Scans for local configuration files (Docker, Vault, SSH).
- **Lateral Movement:** N/A (Focus is on initial infection and secret theft for external use).
- **Collection:** Automated gathering of browser profiles and secret stores.
- **Exfiltration:** HTTPS POST to file-sharing services and Tor-based C2.
- **Impact:** Compromise of developer workstations and CI/CD pipelines.
## Impact Assessment
- **Financial:** High potential cost via stolen cloud credentials and unauthorized infrastructure access.
- **Data Breach:** High; theft of identity tokens, session cookies, and private internal keys.
- **Operational:** Disruption to Arch Linux users and npm developers; potential downstream compromise of software built on infected CI/CD runners.
- **Reputational:** Moderately high for community-managed repositories (AUR).
## Indicators of Compromise
- **Network:**
- `POST` requests to `temp[.]sh`
- Outbound traffic to Tor onion services (`/api/agent` endpoint)
- **File:**
- `atomic-lockfile` (npm package)
- `js-digest` (npm package)
- `/src/hooks/deps` (Malicious Linux ELF binary)
- **Behavioral:**
- Execution of npm `preinstall` hooks running unexpected ELF binaries.
- Unexpected `systemd` service creation.
- eBPF programs loading to obfuscate system state.
## Response Actions
- **Containment:** Removal of `atomic-lockfile` (v1.4.2) and `js-digest` (v4.2.2) from the npm registry.
- **Eradication:** Reversion of 400+ AUR `PKGBUILD` scripts to clean states.
- **Recovery:** Mandatory credential rotation for any developer or CI environment active between June 10–12, 2026.
## Lessons Learned
- **Key Takeaways:** Orphaned packages in community repositories are high-value targets for "reputation hijacking."
- **Institutional Weakness:** The AUR handoff mechanism lacked sufficient vetting for high-volume account activity.
- **Dependency Risk:** Blindly trusting `npm install` during a build process allows for cross-ecosystem contamination (AUR -> npm).
## Recommendations
- **Audit Build Scripts:** Implement linting or static analysis to detect external network calls (e.g., `npm install`) during OS package builds.
- **Monitor Package Handoffs:** Repository maintainers should implement rate-limiting or manual review for users attempting to adopt a large number of orphaned packages.
- **Environment Hardening:** Use ephemeral, network-isolated build environments for CI/CD to prevent secret exfiltration.
- **Secret Management:** Move away from long-lived tokens in favor of short-lived OIDC-based authentication for cloud and GitHub/npm actions.