A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
The campaign, dubbed “Atomic Arch” by researchers, was identified around June 11, 2026, and represents one of the most wide-scale AUR incidents on record.
The threat actors systematically targeted orphaned AUR packages legitimate projects that have been abandoned by their original maintainers and claimed ownership of them through AUR’s standard adoption process.
Once in control, attackers modified the packages’ PKGBUILD scripts, which are the build instruction files that AUR helpers like yay and paru execute during installation.
The malicious PKGBUILDs were altered to silently fetch and install two rogue npm packages: atomic-lockfile and js-digest. These packages acted as the primary malware delivery mechanism, executing during the standard package build process without triggering obvious warnings to end users.
Once installed, the malicious npm packages deployed a multi-stage infostealer payload engineered to exfiltrate a broad range of sensitive data, including:
Beyond data theft, the malware employed rootkit-style persistence techniques, disguising its active processes as legitimate kernel threads to evade detection by standard process monitors like ps and htop. This tactic makes post-infection identification significantly harder without dedicated forensic tooling.
The Arch Linux security team responded rapidly once the compromise was surfaced on the AUR mailing list. Maintainers reverted malicious PKGBUILD commits, permanently banned the offending attacker accounts, and published a detailed checklist of affected packages for the community. Critically, Arch’s official repositories ([core], [extra], [multilib]) remained unaffected, as those are subject to stricter review processes.
Users who regularly install AUR packages should take the following steps immediately:
pacman -Qm to list all foreign (AUR) packages installed on your system and cross-reference against the published list of compromised packagesrkhunter or chkrootkitThis incident echoes a growing trend of supply chain attacks targeting package repositories across ecosystems. Researchers at Sonatype specifically characterized the Atomic Arch campaign as a deliberate strategy of targeting orphaned, trusted packages with existing install bases, maximizing victim reach while minimizing scrutiny.
The AUR’s community-trust model, while a strength for package availability, continues to present a systemic risk that individual vigilance cannot fully mitigate without structural policy changes around orphan package adoption.