{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/arch-linux/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Arch User Repository","npm","Bun"],"_cs_severities":["critical"],"_cs_tags":["supply-chain-attack","npm","bun","linux","malware","credential-harvesting","eBPF","rootkit","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Arch Linux"],"content_html":"\u003cp\u003eSonatype researchers uncovered the Atomic Arch campaign, which began on June 11, 2026, targeting orphaned packages within the Arch User Repository (AUR). Threat actors are exploiting the AUR's stewardship process by adopting abandoned projects and subsequently modifying their PKGBUILD instructions. These modifications introduce a post-install script designed to install malicious npm packages, such as \u003ccode\u003eatomic-lockfile\u003c/code\u003e, \u003ccode\u003ejs-digest\u003c/code\u003e, and \u003ccode\u003elockfile-js\u003c/code\u003e. A second wave observed on June 12, 2026, also leveraged Bun-based installation paths. The installation of these malicious dependencies triggers the deployment of a sophisticated native Linux executable. This payload is engineered for credential harvesting (targeting GitHub, SSH, Vault, browser data, chat applications), employs eBPF for deep system stealth and privilege escalation, includes anti-debugging features, and possesses HTTP upload functionality for data exfiltration. The campaign is estimated to have affected approximately 1,500 packages, posing a significant supply chain risk where attackers inherit developer trust.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access \u0026amp; AUR Compromise\u003c/strong\u003e: Threat actors identify and gain stewardship of legitimate, but orphaned, packages within the Arch User Repository (AUR).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePKGBUILD Modification\u003c/strong\u003e: The attackers modify the adopted AUR packages' \u003ccode\u003ePKGBUILD\u003c/code\u003e files to include a post-install script that executes package manager commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Dependency Installation\u003c/strong\u003e: When a user installs or updates a compromised AUR package, the modified \u003ccode\u003ePKGBUILD\u003c/code\u003e triggers commands like \u003ccode\u003enpm install atomic-lockfile minimist chalk\u003c/code\u003e (or Bun equivalent) to retrieve and install malicious dependencies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNative Payload Execution\u003c/strong\u003e: The installed malicious npm/Bun dependency (e.g., \u003ccode\u003eatomic-lockfile\u003c/code\u003e) contains a \u003ccode\u003epackage.json\u003c/code\u003e \u003ccode\u003epreinstall\u003c/code\u003e script that executes a bundled native Linux executable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRootkit Deployment \u0026amp; Stealth\u003c/strong\u003e: The native Linux executable loads an eBPF program (e.g., \u003ccode\u003escales.bpf.c\u003c/code\u003e) using \u003ccode\u003elibbpf\u003c/code\u003e APIs (\u003ccode\u003ebpf_object__load\u003c/code\u003e, \u003ccode\u003ebpf_program__attach\u003c/code\u003e, \u003ccode\u003ebpf_map__pin\u003c/code\u003e), enabling advanced process, file, and network hiding (rootkit functionality). It also implements anti-debugging techniques (\u003ccode\u003ePTRACE_ATTACH\u003c/code\u003e, \u003ccode\u003ePTRACE_SEIZE\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential \u0026amp; Data Harvesting\u003c/strong\u003e: The deployed payload actively searches for and collects sensitive information, including GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, and data from messaging applications like Slack, Discord, Microsoft Teams, and Telegram.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: The harvested data is compressed and exfiltrated to attacker-controlled infrastructure via HTTP POST requests, specifically targeting endpoints such as \u003ccode\u003e/upload\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Atomic Arch campaign has a severe impact on developer systems, treating affected hosts as fully compromised. The primary objective is extensive credential and sensitive data harvesting, which could lead to further unauthorized access to developer accounts, source code repositories, cloud infrastructure, and internal systems. The use of eBPF provides deep system stealth, making detection and removal challenging, potentially leading to long-term persistence. With an estimated 1,500 packages affected across multiple waves, this campaign represents a significant supply chain attack that erodes trust in public package repositories, exposing a wide range of organizations using Arch Linux and these packages to sophisticated Linux malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious package installations and payload execution.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs for suspicious \u003ccode\u003enpm\u003c/code\u003e or \u003ccode\u003ebun\u003c/code\u003e commands installing known malicious packages like \u003ccode\u003eatomic-lockfile\u003c/code\u003e, \u003ccode\u003ejs-digest\u003c/code\u003e, or \u003ccode\u003elockfile-js\u003c/code\u003e, as detailed in the rule \u0026quot;Detect Atomic Arch Malicious npm/Bun Package Installation\u0026quot;.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs for unusual executable launches from temporary or \u003ccode\u003enode_modules\u003c/code\u003e directories as a child of \u003ccode\u003enpm\u003c/code\u003e or \u003ccode\u003ebun\u003c/code\u003e, as described in the rule \u0026quot;Detect Suspicious Executable Launched by Package Manager\u0026quot;.\u003c/li\u003e\n\u003cli\u003eEnable and monitor \u003ccode\u003enetwork_connection\u003c/code\u003e logs for outbound HTTP POST requests to suspicious paths like \u003ccode\u003e/upload\u003c/code\u003e from unusual or non-browser processes, as outlined in the rule \u0026quot;Detect Potential Exfiltration via HTTP POST /upload\u0026quot;.\u003c/li\u003e\n\u003cli\u003eReview any Arch User Repository (AUR) packages installed within your environment, particularly those adopted around June 2026, for modified \u003ccode\u003ePKGBUILD\u003c/code\u003e files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-14T09:00:24Z","date_published":"2026-06-14T09:00:24Z","id":"https://feed.craftedsignal.io/briefs/2026-06-atomic-arch-npm-campaign/","summary":"The Atomic Arch campaign compromises orphaned Arch User Repository (AUR) packages, modifying their PKGBUILDs to install malicious npm/Bun dependencies like 'atomic-lockfile,' which deploy a Linux payload with credential harvesting, eBPF-based stealth, anti-debugging, and data exfiltration capabilities, impacting approximately 1,500 packages.","title":"Atomic Arch Campaign Leverages Orphaned AUR Packages for Linux Payload Deployment","url":"https://feed.craftedsignal.io/briefs/2026-06-atomic-arch-npm-campaign/"}],"language":"en","title":"CraftedSignal Threat Feed - Arch Linux","version":"https://jsonfeed.org/version/1.1"}