Attack Chain

1. Initial Access & AUR Compromise: Threat actors identify and gain stewardship of legitimate, but orphaned, packages within the Arch User Repository (AUR).
2. PKGBUILD Modification: The attackers modify the adopted AUR packages' PKGBUILD files to include a post-install script that executes package manager commands.
3. Malicious Dependency Installation: When a user installs or updates a compromised AUR package, the modified PKGBUILD triggers commands like npm install atomic-lockfile minimist chalk (or Bun equivalent) to retrieve and install malicious dependencies.
4. Native Payload Execution: The installed malicious npm/Bun dependency (e.g., atomic-lockfile) contains a package.json preinstall script that executes a bundled native Linux executable.
5. Rootkit Deployment & Stealth: The native Linux executable loads an eBPF program (e.g., scales.bpf.c) using libbpf APIs (bpf_object__load, bpf_program__attach, bpf_map__pin), enabling advanced process, file, and network hiding (rootkit functionality). It also implements anti-debugging techniques (PTRACE_ATTACH, PTRACE_SEIZE).
6. Credential & Data Harvesting: The deployed payload actively searches for and collects sensitive information, including GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, and data from messaging applications like Slack, Discord, Microsoft Teams, and Telegram.
7. Data Exfiltration: The harvested data is compressed and exfiltrated to attacker-controlled infrastructure via HTTP POST requests, specifically targeting endpoints such as /upload.

Impact

The Atomic Arch campaign has a severe impact on developer systems, treating affected hosts as fully compromised. The primary objective is extensive credential and sensitive data harvesting, which could lead to further unauthorized access to developer accounts, source code repositories, cloud infrastructure, and internal systems. The use of eBPF provides deep system stealth, making detection and removal challenging, potentially leading to long-term persistence. With an estimated 1,500 packages affected across multiple waves, this campaign represents a significant supply chain attack that erodes trust in public package repositories, exposing a wide range of organizations using Arch Linux and these packages to sophisticated Linux malware.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious package installations and payload execution.
• Monitor process_creation logs for suspicious npm or bun commands installing known malicious packages like atomic-lockfile, js-digest, or lockfile-js, as detailed in the rule "Detect Atomic Arch Malicious npm/Bun Package Installation".
• Monitor process_creation logs for unusual executable launches from temporary or node_modules directories as a child of npm or bun, as described in the rule "Detect Suspicious Executable Launched by Package Manager".
• Enable and monitor network_connection logs for outbound HTTP POST requests to suspicious paths like /upload from unusual or non-browser processes, as outlined in the rule "Detect Potential Exfiltration via HTTP POST /upload".
• Review any Arch User Repository (AUR) packages installed within your environment, particularly those adopted around June 2026, for modified PKGBUILD files.