Feed
CriticalPublished 11 Jun 2026Updated 21 Jun 20264 packages · 4 versions

Atomic Arch: 400+ AUR packages hijacked to ship npm-delivered Rust stealer with eBPF rootkit

Summary

Sonatype-2026-003775 (2026-06-11) — attackers hijacked 400+ orphaned Arch User Repository packages and rewrote their PKGBUILDs to pull three malicious npm dependencies (atomic-lockfile@1.4.2, js-digest@4.2.2, lockfile-js@1.4.2). Each drops a Rust ELF credential stealer, loads an eBPF rootkit hiding processes/files/sockets when run as root, persists via systemd, and exfiltrates over Tor onion C2.

maintainer-takeoveraccount-takeovercredential-theftinfostealerobfuscationcdn-supply-chain
Detected by
Sonatype · Whanos (community researcher) · Snyk
Also known as
Atomic Arch · AUR rootkit wave · nextfile-js wave 3
Ecosystems
npm
Packages tracked
4

What happened

On 2026-06-11 Sonatype Research disclosed Atomic Arch (Sonatype-2026-003775, CVSS 8.7), a supply-chain campaign in which attackers adopted orphaned packages in the Arch User Repository and used the standard AUR maintainer transfer to push backdoored PKGBUILD / .install scripts. The poisoned build files silently fetch and execute a malicious npm dependency during a normal makepkg, with no separate prompt to the user. The campaign converged across two waves and three npm packages, with multiple AUR accounts that community trackers tie back to a single npm publisher (herbsobering).

Wave 1 — atomic-lockfile (2026-06-09 → 2026-06-11)

The first wave centred on the npm package atomic-lockfile@1.4.2, published 2026-06-10 15:05 UTC. Hijacked AUR packages added npm install atomic-lockfile to their build steps; on install, npm runs the package's preinstall hook, which drops and executes src/hooks/deps — a bundled Rust ELF that independent researcher Whanos reverse-engineered as a developer-workstation credential stealer.

The attacker handles attached to wave 1 were the AUR accounts krisztinavarga and arojas. arojas was a forged identity — the operator used spoofed git author metadata to impersonate the legitimate maintainer's commit history, making the malicious PKGBUILD change look like a routine update from someone the AUR moderators already trusted.

Wave 3 — nextfile-js (2026-06-13 → 2026-06-16)

A third pivot landed the day after wave 2. nextfile-js@1.4.2 was published 2026-06-13 18:52:14 UTC and unpublished 2026-06-16 11:37:10 UTC. Same Rust+eBPF payload family, but the operator switched to shell-obfuscated bun add from /tmp to hide the literal package name from substring-matching scanners that wave 2 had successfully picked off. Community trackers (peq42, Corgea, CSA Labs, Rescana) tie wave 3 back to the same operator and report ansi-colors as an accompanying decoy / co-install — but because legitimate ansi-colors is a widely-used npm package and no clean malicious version pin has been published, this catalogue tracks only the confirmed malicious package (nextfile-js@1.4.2).

By the time wave 3 was fully enumerated, the consolidated AUR-side count climbed to ~1,500 hijacked packages per Rescana's post-incident summary. The wider Wave 1 publisher handle list — krisztinavarga, franziskaweber, tobiaswesterburg, ellenmyklebust, arojas per the lenucksi tracker — is broader than the two AUR accounts originally named in the Sonatype disclosure.

Wave 2 — js-digest, lockfile-js (2026-06-12)

Within 24 hours of Sonatype's disclosure the operator pivoted. js-digest@4.2.2 was published 2026-06-12 10:21 UTC and pulled via bun install from a second tranche of hijacked PKGBUILDs (the switch to Bun bypasses defenders who had reactively blocked atomic-lockfile by npm-package name). lockfile-js@1.4.2 followed at 2026-06-12 13:01 UTC. Both packages were unpublished by npm within ~2 hours each; atomic-lockfile itself was replaced with an npm/security-holder placeholder (0.0.1-security) at 2026-06-12 11:39 UTC.

Wave 2 attacker handles were custodiatovar and veramagalhaes. Community trackers (consolidated at github.com/lenucksi/aur-malware-check) attribute all five AUR accounts to the same operator via shared infrastructure and consistent payload deltas.

Payload — Rust stealer + eBPF rootkit + systemd persistence

Unlike the Bun-JS family used in the Miasma / Mini Shai-Hulud / Hades waves running in parallel, the Atomic Arch payload is a Rust-compiled Linux ELF. Capabilities documented across the lenucksi detection repo, the byteiota write-up, and Sonatype's analysis include:

  • Credential theft: Discord tokens, GitHub Personal Access Tokens, npm publish tokens, Slack session cookies, Microsoft Teams / M365 session material, SSH private keys (~/.ssh/id_*), HashiCorp Vault tokens, Docker / Podman credentials, and browser cookie stores.
  • eBPF rootkit: when the build ran as root (typical for sudo makepkg and many AUR helpers) and the kernel grants CAP_BPF, the implant loads a BPF program that hooks getdents64, read, and the socket family. It hides its own process, on-disk artefacts under /sys/fs/bpf/hidden_*, and active network sockets from ps, ls, ss/netstat, and lsof.
  • Systemd persistence: Restart=always service units are installed in both system (/etc/systemd/system) and user (~/.config/systemd/user) modes, so the implant survives reboot and respawns when killed.
  • Tor + temp.sh exfiltration: the C2 channel resolves to a Tor hidden service. A secondary exfil path POSTs sweep output to the public temp.sh paste host — chosen to blend with normal developer traffic. Operator-controlled container github.com/fardewoak/nodejs-argo was used to stage payloads.
  • Anti-analysis: anti-debugging checks, stealth file paths, and a delayed-execution loop designed to evade short-window CI sandboxing.

Scope

Sonatype's first write-up counted "20+" hijacked AUR packages. Within 24 hours the community master list reached 408; consolidated lists later climbed toward ~1,500 across both waves. The exact AUR package list is maintained in the lenucksi detection repository and the Arch aur-general mailing thread; we do not enumerate AUR packages in the dependency map below because they are not consumed via the npm/PyPI dependency graphs DependencyWatch.io scans. The three malicious npm packages are in scope and are the only versions a lockfile or npm/bun cache will reveal.

Timeline

  • 2026-06-09 — earliest AUR PKGBUILD hijacks observed (community thread reconstructs)
  • 2026-06-10 15:05 UTC — atomic-lockfile@1.4.2 published to npm by herbsobering
  • 2026-06-11 — Sonatype publishes the Atomic Arch disclosure (Sonatype-2026-003775, CVSS 8.7)
  • 2026-06-12 10:21 UTC — js-digest@4.2.2 published to npm (wave 2, Bun delivery path)
  • 2026-06-12 11:39 UTC — atomic-lockfile replaced with 0.0.1-security holding placeholder by npm
  • 2026-06-12 11:53 UTC — js-digest@4.2.2 unpublished by npm
  • 2026-06-12 13:01 UTC — lockfile-js@1.4.2 published to npm
  • 2026-06-12 16:29 UTC — lockfile-js@1.4.2 unpublished by npm
  • 2026-06-12 — BleepingComputer, The Hacker News, Hackread, ByteIota, CyberSecurity News, and Heise republish the disclosure
  • 2026-06-13 18:52 UTC — nextfile-js@1.4.2 published to npm (wave 3, shell-obfuscated bun add from /tmp)
  • 2026-06-14 — Corgea, CSA Labs research note, and peq42 wave-3 write-up published
  • 2026-06-16 11:37 UTC — nextfile-js@1.4.2 unpublished by npm
  • 2026-06-21 — Rescana post-incident summary confirms ~1,500 AUR packages compromised across all three waves

No CVE / GHSA / OSV entry covered the wave at time of cataloguing — Sonatype-2026-003775 is the only registry-level identifier so far, with each malicious npm package independently flagged by Snyk's vulnerability database as Critical / Malicious. Distinct from the parallel TeamPCP / Mini Shai-Hulud / Miasma / Hades clusters: this campaign's payload is Rust (not Bun-bundled JS), targets browser cookies and Discord/Slack/Teams session material as primary loot (not cloud credentials), and uses an eBPF rootkit for stealth (not seen in TeamPCP waves apart from JFrog's 2026-06-04 IronWorm disclosure).

Affected packages (4)

  • npmatomic-lockfile
    1.4.2
  • npmjs-digest
    4.2.2
  • npmlockfile-js
    1.4.2
  • npmnextfile-js
    1.4.2

Impact

  • AUR PKGBUILD / .install script silently runs npm install atomic-lockfile (or bun install js-digest / lockfile-js in wave 2) during a normal makepkg — no warning, no separate confirmation prompt
  • On install, atomic-lockfile@1.4.2 executes a preinstall hook that drops and runs src/hooks/deps, a bundled Rust ELF infostealer aimed at developer workstations and CI runners
  • Stealer harvests Discord tokens, GitHub PATs, npm publish tokens, Slack and Teams/M365 session cookies, SSH private keys, HashiCorp Vault tokens, Docker/Podman credentials, and browser cookie stores
  • eBPF kernel rootkit — installed when the build ran as root with CAP_BPF — hides the malicious process, files on disk, and socket inodes from ps, ls, ss/netstat, and lsof
  • Systemd persistence: Restart=always units installed in both root and user-mode so the implant survives reboot and respawns if killed
  • Tor onion C2 + temp.sh exfiltration channel — perimeter NetFlow / DNS logging cannot resolve the operator endpoint, and outbound to a public paste host blends with developer traffic
  • Wave 2 (2026-06-12) switches from npm install to bun install and adds new attacker accounts — defenders who only block npm see the second wave land
  • Estimated ~1,500 AUR packages compromised across all waves; community trackers cataloged 408 confirmed in the first 24 hours

What to do

  1. 1On any Arch / Manjaro / EndeavourOS / CachyOS host that ran makepkg or yay -S / paru -S against an AUR package between 2026-06-09 and 2026-06-12: assume kernel-level compromise. The eBPF rootkit hides the malware from standard tooling — re-image from trusted Arch ISO rather than attempt in-place cleanup
  2. 2Block / remove any installed copy of atomic-lockfile, js-digest, or lockfile-js from npm / bun caches and node_modules trees; npm replaced atomic-lockfile with a 0.0.1-security holding entry on 2026-06-12 and unpublished the other two
  3. 3Rotate from a known-clean host: Discord tokens, GitHub PATs and SSH keys, npm publish tokens, Slack sessions, Teams / M365 sessions, HashiCorp Vault tokens, Docker / Podman credentials, browser cookies, and anything in ~/.ssh or ~/.config the affected host could read
  4. 4Hunt for the eBPF rootkit artefacts before declaring a host clean: ls -la /sys/fs/bpf/hidden_*, bpftool prog list, and find /etc/systemd -newer /etc/machine-id -name "*.service" for unexpected Restart=always units
  5. 5Audit AUR helpers for unverified PKGBUILD changes — yay / paru show a diff before build; do not blanket-accept on previously-trusted package adoptions, especially when the package status flipped from orphaned to maintained in the last week
  6. 6Cross-check installed AUR packages against the community detection script at github.com/lenucksi/aur-malware-check before clearing any system as unaffected

References

npm-2026-06-11-atomic-arch-aur-hijack