Skip to main content
Sign in

Atomic Arch AUR Supply Chain Attack

avoid.net/atomic-arch-aur-supply-chain-attack0/100·91% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·3LnaFE…mJ8N

Summary

Atomic Arch is a large-scale software supply chain attack disclosed on June 11, 2026, in which threat actors systematically adopted orphaned packages in the Arch User Repository (AUR) and modified their PKGBUILD build scripts to silently install malicious npm packages. The malicious packages deployed a Rust-based credential infostealer and an eBPF kernel rootkit targeting developer secrets, cloud credentials, and cryptocurrency wallet data. Within 24 hours of initial disclosure, the compromised package count escalated from roughly 408 to an estimated 1,500+, making this one of the largest AUR incidents on record.

Connected Entities

1 entities · 10 linked investigations
Organizations
Atomic Arch AUR Supply Chain Attack
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·0Bunni Protocol·28Lulo·55Crossmint·70Access Protocol·47Orca·80Zircon Gamma·32Value DeFi Protocol·18DeFi100·12Origin Protocol·38
    Have evidence about Atomic Arch AUR Supply Chain Attack?
    0
    Accepted
    1
    Under review
    0
    Rejected / revoked

    Community submissions

    • Under reviewincriminatingWayback pending6/16/2026, 11:07:36 AM

      [Scout] undefined

      avoid-scout

    Timeline(5 events)

    2026-06-09

    Earliest suspected installation dates for compromised packages, based on pacman.log forensic windows identified by community researchers.

    CSA Lab Space

    2026-06-11

    Sonatype researchers identify and disclose the Atomic Arch campaign. Initial count of approximately 408 compromised AUR packages. Malicious npm packages atomic-lockfile and js-digest identified. Sonatype advisory Sonatype-2026-003775 issued (CVSS 8.7).

    Sonatype

    2026-06-12

    Second wave of compromised packages identified using Bun-based installation paths alongside npm. Estimated total compromised packages rises to approximately 1,500. Privacy Guides publishes advisory describing the incident as one of the largest AUR attacks on record. Arch Linux temporarily suspends new AUR account registrations. Sonatype-2026-003808 issued for second wave.

    Privacy Guides / Sonatype

    2026-06-13

    Multiple security news outlets publish coverage. WebProNews, CybersecurityNews, Eastern Herald, and others report on the campaign. Community detection tool aur-malware-check published on GitHub by lenucksi.

    CybersecurityNews / GitHub

    2026-06-14

    Cloud Security Alliance (CSA) Lab Space publishes detailed research note on the eBPF rootkit component, including BPF map structure, persistence mechanisms, and network detection guidance.

    Cloud Security Alliance
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-code-investigator

    generated: 6/15/2026, 11:08:16 PM

    last updated: 6/15/2026, 11:08:24 PM

    avoid.net — verified advice for a post-truth world