Atomic Arch: 400+ AUR packages hijacked to ship npm-delivered Rust stealer with eBPF rootkit
Sonatype-2026-003775 (2026-06-11) — attackers hijacked 400+ orphaned Arch User Repository packages and rewrote their PKGBUILDs to pull three malicious npm dependencies (atomic-lockfile@1.4.2, js-digest@4.2.2, lockfile-js@1.4.2). Each drops a Rust ELF credential stealer, loads an eBPF rootkit hiding processes/files/sockets when run as root, persists via systemd, and exfiltrates over Tor onion C2.
- Detected by
- Sonatype · Whanos (community researcher) · Snyk
- Also known as
- Atomic Arch · AUR rootkit wave · nextfile-js wave 3
- Ecosystems
- npm
- Packages tracked
- 4
What happened
On 2026-06-11 Sonatype Research disclosed Atomic Arch (Sonatype-2026-003775, CVSS 8.7), a supply-chain campaign in which attackers adopted orphaned packages in the Arch User Repository and used the standard AUR maintainer transfer to push backdoored PKGBUILD / .install scripts. The poisoned build files silently fetch and execute a malicious npm dependency during a normal makepkg, with no separate prompt to the user. The campaign converged across two waves and three npm packages, with multiple AUR accounts that community trackers tie back to a single npm publisher (herbsobering).
Wave 1 — atomic-lockfile (2026-06-09 → 2026-06-11)
The first wave centred on the npm package atomic-lockfile@1.4.2, published 2026-06-10 15:05 UTC. Hijacked AUR packages added npm install atomic-lockfile to their build steps; on install, npm runs the package's preinstall hook, which drops and executes src/hooks/deps — a bundled Rust ELF that independent researcher Whanos reverse-engineered as a developer-workstation credential stealer.
The attacker handles attached to wave 1 were the AUR accounts krisztinavarga and arojas. arojas was a forged identity — the operator used spoofed git author metadata to impersonate the legitimate maintainer's commit history, making the malicious PKGBUILD change look like a routine update from someone the AUR moderators already trusted.
Wave 3 — nextfile-js (2026-06-13 → 2026-06-16)
A third pivot landed the day after wave 2. nextfile-js@1.4.2 was published 2026-06-13 18:52:14 UTC and unpublished 2026-06-16 11:37:10 UTC. Same Rust+eBPF payload family, but the operator switched to shell-obfuscated bun add from /tmp to hide the literal package name from substring-matching scanners that wave 2 had successfully picked off. Community trackers (peq42, Corgea, CSA Labs, Rescana) tie wave 3 back to the same operator and report ansi-colors as an accompanying decoy / co-install — but because legitimate ansi-colors is a widely-used npm package and no clean malicious version pin has been published, this catalogue tracks only the confirmed malicious package (nextfile-js@1.4.2).
By the time wave 3 was fully enumerated, the consolidated AUR-side count climbed to ~1,500 hijacked packages per Rescana's post-incident summary. The wider Wave 1 publisher handle list — krisztinavarga, franziskaweber, tobiaswesterburg, ellenmyklebust, arojas per the lenucksi tracker — is broader than the two AUR accounts originally named in the Sonatype disclosure.
Wave 2 — js-digest, lockfile-js (2026-06-12)
Within 24 hours of Sonatype's disclosure the operator pivoted. js-digest@4.2.2 was published 2026-06-12 10:21 UTC and pulled via bun install from a second tranche of hijacked PKGBUILDs (the switch to Bun bypasses defenders who had reactively blocked atomic-lockfile by npm-package name). lockfile-js@1.4.2 followed at 2026-06-12 13:01 UTC. Both packages were unpublished by npm within ~2 hours each; atomic-lockfile itself was replaced with an npm/security-holder placeholder (0.0.1-security) at 2026-06-12 11:39 UTC.
Wave 2 attacker handles were custodiatovar and veramagalhaes. Community trackers (consolidated at github.com/lenucksi/aur-malware-check) attribute all five AUR accounts to the same operator via shared infrastructure and consistent payload deltas.
Payload — Rust stealer + eBPF rootkit + systemd persistence
Unlike the Bun-JS family used in the Miasma / Mini Shai-Hulud / Hades waves running in parallel, the Atomic Arch payload is a Rust-compiled Linux ELF. Capabilities documented across the lenucksi detection repo, the byteiota write-up, and Sonatype's analysis include:
- Credential theft: Discord tokens, GitHub Personal Access Tokens, npm publish tokens, Slack session cookies, Microsoft Teams / M365 session material, SSH private keys (
~/.ssh/id_*), HashiCorp Vault tokens, Docker / Podman credentials, and browser cookie stores. - eBPF rootkit: when the build ran as root (typical for
sudo makepkgand many AUR helpers) and the kernel grantsCAP_BPF, the implant loads a BPF program that hooksgetdents64,read, and the socket family. It hides its own process, on-disk artefacts under/sys/fs/bpf/hidden_*, and active network sockets fromps,ls,ss/netstat, andlsof. - Systemd persistence:
Restart=alwaysservice units are installed in both system (/etc/systemd/system) and user (~/.config/systemd/user) modes, so the implant survives reboot and respawns when killed. - Tor + temp.sh exfiltration: the C2 channel resolves to a Tor hidden service. A secondary exfil path POSTs sweep output to the public
temp.shpaste host — chosen to blend with normal developer traffic. Operator-controlled containergithub.com/fardewoak/nodejs-argowas used to stage payloads. - Anti-analysis: anti-debugging checks, stealth file paths, and a delayed-execution loop designed to evade short-window CI sandboxing.
Scope
Sonatype's first write-up counted "20+" hijacked AUR packages. Within 24 hours the community master list reached 408; consolidated lists later climbed toward ~1,500 across both waves. The exact AUR package list is maintained in the lenucksi detection repository and the Arch aur-general mailing thread; we do not enumerate AUR packages in the dependency map below because they are not consumed via the npm/PyPI dependency graphs DependencyWatch.io scans. The three malicious npm packages are in scope and are the only versions a lockfile or npm/bun cache will reveal.
Timeline
- 2026-06-09 — earliest AUR PKGBUILD hijacks observed (community thread reconstructs)
- 2026-06-10 15:05 UTC —
atomic-lockfile@1.4.2published to npm byherbsobering - 2026-06-11 — Sonatype publishes the Atomic Arch disclosure (Sonatype-2026-003775, CVSS 8.7)
- 2026-06-12 10:21 UTC —
js-digest@4.2.2published to npm (wave 2, Bun delivery path) - 2026-06-12 11:39 UTC —
atomic-lockfilereplaced with0.0.1-securityholding placeholder by npm - 2026-06-12 11:53 UTC —
js-digest@4.2.2unpublished by npm - 2026-06-12 13:01 UTC —
lockfile-js@1.4.2published to npm - 2026-06-12 16:29 UTC —
lockfile-js@1.4.2unpublished by npm - 2026-06-12 — BleepingComputer, The Hacker News, Hackread, ByteIota, CyberSecurity News, and Heise republish the disclosure
- 2026-06-13 18:52 UTC —
nextfile-js@1.4.2published to npm (wave 3, shell-obfuscatedbun addfrom/tmp) - 2026-06-14 — Corgea, CSA Labs research note, and peq42 wave-3 write-up published
- 2026-06-16 11:37 UTC —
nextfile-js@1.4.2unpublished by npm - 2026-06-21 — Rescana post-incident summary confirms ~1,500 AUR packages compromised across all three waves
No CVE / GHSA / OSV entry covered the wave at time of cataloguing — Sonatype-2026-003775 is the only registry-level identifier so far, with each malicious npm package independently flagged by Snyk's vulnerability database as Critical / Malicious. Distinct from the parallel TeamPCP / Mini Shai-Hulud / Miasma / Hades clusters: this campaign's payload is Rust (not Bun-bundled JS), targets browser cookies and Discord/Slack/Teams session material as primary loot (not cloud credentials), and uses an eBPF rootkit for stealth (not seen in TeamPCP waves apart from JFrog's 2026-06-04 IronWorm disclosure).
Affected packages (4)
- npm
atomic-lockfile1.4.2 - npm
js-digest4.2.2 - npm
lockfile-js1.4.2 - npm
nextfile-js1.4.2
Impact
- AUR
PKGBUILD/.installscript silently runsnpm install atomic-lockfile(orbun install js-digest/lockfile-jsin wave 2) during a normalmakepkg— no warning, no separate confirmation prompt - On install,
atomic-lockfile@1.4.2executes apreinstallhook that drops and runssrc/hooks/deps, a bundled Rust ELF infostealer aimed at developer workstations and CI runners - Stealer harvests Discord tokens, GitHub PATs, npm publish tokens, Slack and Teams/M365 session cookies, SSH private keys, HashiCorp Vault tokens, Docker/Podman credentials, and browser cookie stores
- eBPF kernel rootkit — installed when the build ran as root with
CAP_BPF— hides the malicious process, files on disk, and socket inodes fromps,ls,ss/netstat, andlsof - Systemd persistence:
Restart=alwaysunits installed in both root and user-mode so the implant survives reboot and respawns if killed - Tor onion C2 +
temp.shexfiltration channel — perimeter NetFlow / DNS logging cannot resolve the operator endpoint, and outbound to a public paste host blends with developer traffic - Wave 2 (2026-06-12) switches from
npm installtobun installand adds new attacker accounts — defenders who only block npm see the second wave land - Estimated ~1,500 AUR packages compromised across all waves; community trackers cataloged 408 confirmed in the first 24 hours
What to do
- 1On any Arch / Manjaro / EndeavourOS / CachyOS host that ran
makepkgoryay -S/paru -Sagainst an AUR package between 2026-06-09 and 2026-06-12: assume kernel-level compromise. The eBPF rootkit hides the malware from standard tooling — re-image from trusted Arch ISO rather than attempt in-place cleanup - 2Block / remove any installed copy of
atomic-lockfile,js-digest, orlockfile-jsfrom npm / bun caches and node_modules trees; npm replacedatomic-lockfilewith a0.0.1-securityholding entry on 2026-06-12 and unpublished the other two - 3Rotate from a known-clean host: Discord tokens, GitHub PATs and SSH keys, npm publish tokens, Slack sessions, Teams / M365 sessions, HashiCorp Vault tokens, Docker / Podman credentials, browser cookies, and anything in
~/.sshor~/.configthe affected host could read - 4Hunt for the eBPF rootkit artefacts before declaring a host clean:
ls -la /sys/fs/bpf/hidden_*,bpftool prog list, andfind /etc/systemd -newer /etc/machine-id -name "*.service"for unexpectedRestart=alwaysunits - 5Audit AUR helpers for unverified PKGBUILD changes —
yay/parushow a diff before build; do not blanket-accept on previously-trusted package adoptions, especially when the package status flipped from orphaned to maintained in the last week - 6Cross-check installed AUR packages against the community detection script at
github.com/lenucksi/aur-malware-checkbefore clearing any system as unaffected
References
- SonatypeAtomic Arch: Attackers Hijack Trusted AUR Packages to Deliver Rootkit-Like Malwaresonatype.com
- lenucksi (community)lenucksi/aur-malware-check — Detection tools for the June 2026 atomic-lockfile AUR supply-chain attackgithub.com
- npmatomic-lockfile on npm (1.4.2 replaced with security-holder placeholder)npmjs.com
- npmjs-digest on npm (4.2.2 unpublished 2026-06-12)npmjs.com
- npmlockfile-js on npm (1.4.2 unpublished 2026-06-12)npmjs.com
- The Hacker NewsOver 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkitthehackernews.com
- BleepingComputerOver 400 Arch Linux packages compromised to push rootkit, infostealerbleepingcomputer.com
- HackReadAtomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malwarehackread.com
- byteiotaAUR Malware Hits 408 Packages with eBPF Rootkit — Act Nowbyteiota.com
- Cyber Security News400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealerscybersecuritynews.com
- Privacy GuidesAround 1,500 AUR Packages Compromised with "Rootkit-Like" Malwareprivacyguides.org
- CorgeaAtomic Arch AUR: atomic-lockfile, js-digest, eBPF rootkitcorgea.com
- Cloud Security AllianceCSA Research Note: AUR Supply-Chain eBPF Rootkit (2026-06-14)labs.cloudsecurityalliance.org
- peq42AUR Malware Problems Got Worse — Wave 3 nextfile-jspeq42.com
- RescanaAtomic Arch Supply Chain Attack Compromises ~1,500 AUR Packages (Rescana post-incident summary)rescana.com