Audit log

Every state-changing event for Atomic Arch AUR Supply Chain Attack: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-15 23:08:24Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 426,730,977

   sig

   3LnaFE4ZooRM…W3hbmJ8Ncopyexplorer ↗

   hash

   AD7FLSxJcbPQ…LX8QcGtCcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (22009 B) ▸

   {"actor":"system:backfill","investigation_id":"c1a5769c-7ec8-42a8-afca-9bc2c2f72941","kind":"publish","page_slug":"atomic-arch-aur-supply-chain-attack","published_at":"2026-06-15T23:08:24.186Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Atomic Arch AUR Supply Chain Attack","sections":[{"content":"The campaign dubbed Atomic Arch was identified by Sonatype researchers on June 11, 2026. Threat actors exploited the AUR's orphan-adoption governance feature, which allows any registered user to claim unmaintained packages and assume maintainership. Attackers systematically identified abandoned AUR packages with established user bases, filed standard ownership transfer requests, and — once control was granted — modified the PKGBUILD build scripts that AUR helper tools such as yay and paru execute during package installation. Rather than embedding malware in the AUR packages themselves, attackers injected a single malicious npm install call into each PKGBUILD, directing victim machines to pull malicious packages from the public npm registry during the build step. This indirection kept the PKGBUILD modifications superficially small and delayed automated detection. The technique was described by Sonatype engineer Eyad Hasan as attackers 'acquiring projects that had already earned' community trust rather than building credibility from scratch.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":2,"name":"Sonatype: Atomic Arch — Attackers Hijack Trusted AUR Packages to Deliver Rootkit-Like Malware","type":"research","url":"https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"},{"credibility":2,"name":"Privacy Guides: Around 1,500 AUR Packages Compromised with Rootkit-Like Malware","type":"news_article","url":"https://www.privacyguides.org/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/"},{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"}]},{"content":"Initial disclosure on June 11, 2026 identified approximately 408 compromised AUR packages (tracked as Sonatype-2026-003775, CVSS 8.7). A second wave, using Bun-based installation paths in addition to npm, emerged on June 12, 2026 (tracked as Sonatype-2026-003808), driving the total to an estimated 1,500+ packages by that date. Community detection tools consolidated approximately 588 confirmed entries in early lists, while later reporting cited figures exceeding 900 and then 1,500. Privacy Guides described the incident as 'one of the largest attacks against the AUR of all time.' Compromised packages spanned multiple categories including development tools (premake-git), multimedia utilities, gaming applications (alvr, a VR streaming app), system utilities, and packages related to monero-wallet-gui. Arch Linux temporarily suspended new AUR account sign-ups in response to the volume of malicious submissions.","heading":"Scale and Scope","severity":"critical","sources":[{"credibility":2,"name":"CSA Lab Space: Atomic Arch — AUR Supply Chain Attack Deploys eBPF Rootkit","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"credibility":2,"name":"Privacy Guides: Around 1,500 AUR Packages Compromised","type":"news_article","url":"https://www.privacyguides.org/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/"},{"credibility":2,"name":"CyberSec Guru: Atomic Arch — 900+ AUR Packages Backdoored with eBPF Rootkit","type":"news_article","url":"https://thecybersecguru.com/news/atomic-arch-aur-supply-chain-attack-ebpf-rootkit/"},{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"}]},{"content":"Three malicious npm packages formed the core delivery mechanism: atomic-lockfile, js-digest, and lockfile-js. In the first wave, compromised PKGBUILDs called 'npm install atomic-lockfile minimist chalk'. In the second wave, attackers substituted 'bun install js-digest'. Attackers also spoofed git commit metadata on the AUR packages to make changes appear routine. The atomic-lockfile package contained a Rust-compiled Linux ELF executable named 'deps' (SHA-256: 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b). The preinstall hook in the npm package executed this binary automatically on the victim system during the package installation step, without any further user interaction.","heading":"Malicious npm Packages","severity":"critical","sources":[{"credibility":2,"name":"Sonatype: Atomic Arch","type":"research","url":"https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"},{"credibility":2,"name":"CSA Lab Space: Atomic Arch eBPF Rootkit Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"}]},{"content":"The Rust-based infostealer payload ('deps') was designed to harvest a broad set of developer credentials and secrets. Confirmed target categories include: browser passwords and session cookies (Chrome, Edge, Brave, Chromium, Firefox); SSH private keys and known_hosts files; GitHub and npm access tokens; Docker and Podman credentials; HashiCorp Vault secrets; cloud provider access credentials for AWS, GCP, and Azure; OpenAI bearer tokens; Slack, Discord, and Microsoft Teams session tokens; and VPN profiles. The malware also targeted shell history files and local developer secrets. Shell histories can expose previously-typed secrets, API keys, and internal hostnames. Security researchers noted that any CI/CD self-hosted runner based on Arch Linux that installed AUR packages would be directly exposed, with stolen GitHub tokens and cloud keys enabling lateral movement into production pipelines. The binary contained anti-analysis measures including debugger detection via PTRACE_ATTACH/PTRACE_SEIZE.","heading":"Infostealer Payload and Credential Targets","severity":"critical","sources":[{"credibility":2,"name":"CSA Lab Space: Atomic Arch eBPF Rootkit Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"credibility":2,"name":"StepSecurity: 400+ AUR Packages Hijacked — What the Atomic Arch Campaign Means for Supply-Chain Security","type":"research","url":"https://www.stepsecurity.io/blog/400-aur-packages-hijacked-atomic-arch-campaign"},{"credibility":3,"name":"Breached.Company: Atomic Arch — Poisoned AUR Spreads Rust Infostealer and eBPF Rootkit","type":"news_article","url":"https://breached.company/atomic-arch-aur-supply-chain-attack-rootkit-infostealer-2026/"}]},{"content":"The attack posed a direct threat to cryptocurrency developers and users running Arch Linux. The infostealer harvested local cryptocurrency wallet files and data stored by wallet applications. Researchers identified a reference within the malware binary to /usr/bin/monero-wallet-gui, suggesting a planned second-stage Monero cryptomining deployment on machines where it was viable. Packages related to monero-wallet-gui were among the confirmed compromised packages. Crypto developers are additionally at heightened risk from the credential-harvesting dimension: stolen GitHub tokens, cloud credentials, and SSH keys can enable attackers to access code repositories housing private keys, wallet seed phrases, or smart contract deployment credentials. SafeDep's threat intelligence report assessed the crypto-targeting dimension as part of a broader pattern of financially-motivated attacks against developer toolchains.","heading":"Cryptocurrency Wallet and Asset Targeting","severity":"critical","sources":[{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"},{"credibility":2,"name":"Sonatype: Atomic Arch","type":"research","url":"https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"},{"credibility":2,"name":"CyberSec Guru: Atomic Arch — 900+ AUR Packages Backdoored with eBPF Rootkit","type":"news_article","url":"https://thecybersecguru.com/news/atomic-arch-aur-supply-chain-attack-ebpf-rootkit/"}]},{"content":"On systems where the malware achieved root-level execution, it deployed an extended Berkeley Packet Filter (eBPF) rootkit. The rootkit hooked the getdents64() system call kernel function, filtering directory listing results before they returned to user space. Three BPF maps were pinned at /sys/fs/bpf/ to provide concealment: hidden_pids (suppressed process IDs from ps and similar tools), hidden_names (removed filenames from directory listings), and hidden_inodes (hid files by inode number). The rootkit loaded a BPF object file identified as scales.bpf.c. This design rendered standard forensic investigation tools — ls, ps, find — unreliable on compromised systems, and potentially interfered with eBPF-based endpoint detection and response (EDR) solutions that rely on the same kernel infrastructure for visibility. The rootkit also established systemd service unit persistence with Restart=always, placed at /etc/systemd/system/ for root-level installs or ~/.config/systemd/user/ for non-root installs.","heading":"eBPF Rootkit Component","severity":"critical","sources":[{"credibility":2,"name":"CSA Lab Space: Atomic Arch eBPF Rootkit Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"},{"credibility":3,"name":"Breached.Company: Atomic Arch — Poisoned AUR Spreads Rust Infostealer and eBPF Rootkit","type":"news_article","url":"https://breached.company/atomic-arch-aur-supply-chain-attack-rootkit-infostealer-2026/"}]},{"content":"Exfiltrated data was transmitted to two destinations. The primary channel was a Tor hidden service at the onion address olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion, accessed via a loopback Tor proxy to avoid direct network indicators. A fallback channel used HTTP uploads to temp.sh, a legitimate temporary file-sharing service, which may blend into normal network traffic. DNS monitoring is insufficient to detect the Tor channel, as onion address resolution never touches public DNS. Network defenders were advised to monitor TCP connections to known Tor guard node IP addresses using the Tor Project's consensus or the dan.me.uk/torlist blocklist.","heading":"Command and Control Infrastructure","severity":"critical","sources":[{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"},{"credibility":2,"name":"CSA Lab Space: Atomic Arch eBPF Rootkit Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"}]},{"content":"No definitive threat actor attribution has been publicly confirmed. Sonatype noted that the use of an npm preinstall script to execute an embedded binary is similar to the atomic-notes package observed in a prior campaign called IronWorm, but Sonatype has not confirmed the two campaigns are linked. SafeDep assessed with 'HIGH confidence' that Atomic Arch is attributed to the same operator as IronWorm based on shared Rust-async toolkit components and Tor tradecraft, though this assessment has not been independently corroborated by other research organizations as of the time of this writing. No nation-state attribution has been made. The Atomic Arch campaign name was coined by Sonatype.","heading":"Attribution","severity":"medium","sources":[{"credibility":2,"name":"Sonatype: Atomic Arch","type":"research","url":"https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"},{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"}]},{"content":"The primary affected population is users of Arch Linux and its derivatives, including EndeavourOS and Manjaro, who install packages via AUR helpers such as yay or paru. Developers running Arch Linux under WSL2 on Windows are also potentially affected. Self-hosted CI/CD runners based on Arch Linux that use AUR packages face direct exposure, as do macOS developers using analogous community package repositories such as Homebrew, which faces structurally similar orphan-adoption risks. The attack's credential-harvesting scope means that any individual or organization whose developers used an affected system should treat all secrets accessible from that machine as potentially compromised, regardless of the operating system used on downstream systems.","heading":"Affected Platforms and Users at Risk","severity":"high","sources":[{"credibility":2,"name":"StepSecurity: 400+ AUR Packages Hijacked","type":"research","url":"https://www.stepsecurity.io/blog/400-aur-packages-hijacked-atomic-arch-campaign"},{"credibility":2,"name":"CybersecurityNews: 400+ Arch Linux AUR Packages Compromised","type":"news_article","url":"https://cybersecuritynews.com/arch-linux-aur-packages-compromised/"}]},{"content":"Researchers identified three structural weaknesses in the AUR governance model exploited by this campaign. First, there is no cryptographic binding between a package's identity and its current maintainer; ownership transfers are administrative, not cryptographically signed. Second, the AUR build process necessarily executes arbitrary code on users' systems — the PKGBUILD mechanism is by design a general-purpose script — and no sandbox or content security policy constrains what that code may do. Third, the volume of AUR packages (over 85,000) exceeds what any security team can continuously audit. The campaign represents what researchers characterized as a qualitative escalation: rather than targeting individual packages opportunistically, the threat actor operationalized the orphan-adoption workflow at scale. Similar structural risks exist across PyPI, npm, and RubyGems. The eBPF dimension raises additional systemic concerns: as security tools increasingly rely on eBPF for kernel-level monitoring, adversarial eBPF programs loaded at higher privilege could compromise the fidelity of those detection systems.","heading":"Structural Vulnerabilities in the AUR Trust Model","severity":"high","sources":[{"credibility":2,"name":"CSA Lab Space: Atomic Arch eBPF Rootkit Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"credibility":2,"name":"Privacy Guides: Around 1,500 AUR Packages Compromised","type":"news_article","url":"https://www.privacyguides.org/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/"}]},{"content":"Community researcher lenucksi published an open-source detection tool, aur-malware-check (github.com/lenucksi/aur-malware-check), providing three-dimensional scanning: cross-referencing installed packages against known-compromised lists, scanning pacman.log for installations occurring June 9-12, 2026, and checking for rootkit artifacts and suspicious systemd services. Security researchers advised that systems where the malware achieved root execution should be treated as fully compromised and rebuilt from trusted installation media. Memory images should be collected for forensic preservation before wiping. On systems with root exposure, standard file-system tools cannot be trusted due to the eBPF rootkit's getdents64 hook. All credentials accessible from affected systems should be rotated immediately, including GitHub tokens, npm credentials, AWS/GCP/Azure keys, SSH keys, HashiCorp Vault tokens, Docker credentials, and VPN profiles. Short-term mitigations include mandating manual PKGBUILD review before AUR installations, reviewing for unexpected package manager calls (npm, bun, pip, curl, wget) in PKGBUILDs, restricting AUR to allowlists of internally-reviewed packages, and monitoring for network connections to Tor guard nodes.","heading":"Detection and Remediation","severity":"high","sources":[{"credibility":2,"name":"CSA Lab Space: Atomic Arch eBPF Rootkit Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"credibility":3,"name":"GitHub: lenucksi/aur-malware-check — Detection tools for the June 2026 AUR supply chain attack","type":"community_report","url":"https://github.com/lenucksi/aur-malware-check"},{"credibility":2,"name":"StepSecurity: 400+ AUR Packages Hijacked","type":"research","url":"https://www.stepsecurity.io/blog/400-aur-packages-hijacked-atomic-arch-campaign"}]}],"sources_used":[{"credibility":2,"name":"Sonatype: Atomic Arch — Attackers Hijack Trusted AUR Packages to Deliver Rootkit-Like Malware","type":"research","url":"https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"},{"credibility":2,"name":"SafeDep Threat Intelligence: Atomic Arch Campaign","type":"research","url":"https://safedep.io/ti/campaigns/atomic-arch/"},{"credibility":2,"name":"Cloud Security Alliance Lab Space: Atomic Arch — AUR Supply Chain Attack Deploys eBPF Rootkit","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"credibility":2,"name":"Privacy Guides: Around 1,500 AUR Packages Compromised with Rootkit-Like Malware","type":"news_article","url":"https://www.privacyguides.org/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/"},{"credibility":2,"name":"StepSecurity: 400+ AUR Packages Hijacked — What the Atomic Arch Campaign Means for Supply-Chain Security","type":"research","url":"https://www.stepsecurity.io/blog/400-aur-packages-hijacked-atomic-arch-campaign"},{"credibility":2,"name":"CybersecurityNews: 400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers","type":"news_article","url":"https://cybersecuritynews.com/arch-linux-aur-packages-compromised/"},{"credibility":2,"name":"The CyberSec Guru: Atomic Arch — 900+ AUR Packages Backdoored with eBPF Rootkit","type":"news_article","url":"https://thecybersecguru.com/news/atomic-arch-aur-supply-chain-attack-ebpf-rootkit/"},{"credibility":3,"name":"Breached.Company: Atomic Arch — Poisoned AUR Spreads Rust Infostealer and eBPF Rootkit","type":"news_article","url":"https://breached.company/atomic-arch-aur-supply-chain-attack-rootkit-infostealer-2026/"},{"credibility":3,"name":"GitHub: lenucksi/aur-malware-check — Detection tools for the June 2026 AUR supply chain attack","type":"community_report","url":"https://github.com/lenucksi/aur-malware-check"},{"credibility":2,"name":"WebProNews: Arch Linux AUR Supply Chain Attack Hits 400 Packages with Malware","type":"news_article","url":"https://www.webpronews.com/arch-linux-aur-supply-chain-attack-hits-400-packages-with-malware/"}],"summary":"Atomic Arch is a large-scale software supply chain attack disclosed on June 11, 2026, in which threat actors systematically adopted orphaned packages in the Arch User Repository (AUR) and modified their PKGBUILD build scripts to silently install malicious npm packages. The malicious packages deployed a Rust-based credential infostealer and an eBPF kernel rootkit targeting developer secrets, cloud credentials, and cryptocurrency wallet data. Within 24 hours of initial disclosure, the compromised package count escalated from roughly 408 to an estimated 1,500+, making this one of the largest AUR incidents on record.","timeline":[{"date":"2026-06-09","event":"Earliest suspected installation dates for compromised packages, based on pacman.log forensic windows identified by community researchers.","source":"CSA Lab Space","source_url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"},{"date":"2026-06-11","event":"Sonatype researchers identify and disclose the Atomic Arch campaign. Initial count of approximately 408 compromised AUR packages. Malicious npm packages atomic-lockfile and js-digest identified. Sonatype advisory Sonatype-2026-003775 issued (CVSS 8.7).","source":"Sonatype","source_url":"https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"},{"date":"2026-06-12","event":"Second wave of compromised packages identified using Bun-based installation paths alongside npm. Estimated total compromised packages rises to approximately 1,500. Privacy Guides publishes advisory describing the incident as one of the largest AUR attacks on record. Arch Linux temporarily suspends new AUR account registrations. Sonatype-2026-003808 issued for second wave.","source":"Privacy Guides / Sonatype","source_url":"https://www.privacyguides.org/news/2026/06/12/around-1-500-aur-packages-compromised-with-rootkit-like-malware/"},{"date":"2026-06-13","event":"Multiple security news outlets publish coverage. WebProNews, CybersecurityNews, Eastern Herald, and others report on the campaign. Community detection tool aur-malware-check published on GitHub by lenucksi.","source":"CybersecurityNews / GitHub","source_url":"https://cybersecuritynews.com/arch-linux-aur-packages-compromised/"},{"date":"2026-06-14","event":"Cloud Security Alliance (CSA) Lab Space publishes detailed research note on the eBPF rootkit component, including BPF map structure, persistence mechanisms, and network detection guidance.","source":"Cloud Security Alliance","source_url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-aur-supply-chain-ebpf-rootkit-20260614-csa/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision f72fa5f3-b46a-488d-b141-4ee265e814b6copy