400+ Arch Linux AUR Packages Hijacked With eBPF Rootkit

A supply chain attack targeting the Arch User Repository has compromised more than 400 community-maintained packages, injecting credential-stealing malware equipped with an eBPF rootkit that hides from standard Linux process monitoring tools. The campaign, dubbed "Atomic Arch" by researchers, represents the largest AUR compromise on record.

Sonatype researchers tracked the attack to malicious npm packages distributed through modified PKGBUILD scripts. The infostealer targets developer credentials across a wide range of platforms—GitHub, SSH, HashiCorp Vault, browser cookies, and messaging applications including Slack, Discord, Microsoft Teams, and Telegram.

How the Attack Worked

A single attacker operating under the username "arojas" systematically adopted 408 orphaned AUR packages—legitimate projects abandoned by their original maintainers. The AUR allows anyone to claim ownership of these orphaned packages through a standard adoption process, and this attacker exploited that trust model at scale.

Once in control, the attacker modified each package's PKGBUILD script to silently fetch two malicious npm packages during installation: atomic-lockfile and js-digest. This attack vector is particularly concerning given that npm just announced plans to disable install scripts by default in next month's v12 release—a change that would have blocked this exact technique on the npm side of the chain.

When users installed these compromised packages through AUR helpers like yay or paru, the npm packages deployed a native Linux executable called "deps" containing both the credential stealer and rootkit components.

Kernel-Level Stealth Capabilities

What distinguishes this campaign from typical infostealers is the eBPF rootkit functionality. Extended Berkeley Packet Filter allows code to run within the kernel context, giving the malware elevated privileges to hide its presence from standard detection tools. This kernel-level access mirrors the risk we saw with the recent nftables container escape vulnerability—once attackers reach the kernel, traditional userspace security tools become blind.

Analysis by security researchers revealed the rootkit hooks the getdents64() system call—the function Linux uses to enumerate directory contents. By filtering results at the kernel level, the malware hides its processes, files, and network connections from monitoring tools like ps, htop, and netstat. The malware masquerades its active processes as legitimate kernel threads.

The binary also contains anti-analysis measures including PTRACE detection to identify debugger attachment and NETLINK_SOCK_DIAG for socket diagnostics evasion.

Targeted Data

The "deps" infostealer casts a wide net across developer workstations:

• GitHub credentials and SSH artifacts
• HashiCorp Vault tokens
• Browser cookie databases (Chromium and Firefox)
• Slack, Discord, Microsoft Teams, and Telegram session data
• Docker and Podman credentials
• VPN configuration files
• Shell history files containing commands and embedded secrets
• Cryptocurrency wallet data
• System environment variables and API tokens

Stolen data is exfiltrated via HTTP POST to attacker-controlled infrastructure. The focus on developer secrets and CI/CD credentials suggests this campaign aimed to enable further supply chain compromises—a pattern we've tracked across recent PyPI attacks targeting the AI and machine learning ecosystem.

Discovery and Response

The Independent Federated Intelligence Network (IFIN), security researcher Whanos, and Sonatype engineer Eyad Hasan independently identified the campaign around June 11, 2026. Sonatype assigned the malicious packages identifier Sonatype-2026-003775 with a CVSS score of 8.7.

The Arch Linux security team moved quickly once the compromise surfaced on the AUR mailing list. Maintainers reverted malicious PKGBUILD commits, permanently banned the attacker accounts, and published a checklist of affected packages for the community.

Arch's official repositories—[core], [extra], and [multilib]—remained unaffected. Those repositories use stricter review processes that would have caught the malicious modifications.

Why This Matters

The Atomic Arch campaign highlights a fundamental tension in community-driven package ecosystems. The AUR's open adoption process lets anyone rescue abandoned packages and keep them maintained. The same openness that makes this possible also creates opportunities for attackers to inherit trust they never earned.

As Sonatype researchers put it: "Attackers no longer need to create trust. Sometimes they can inherit it."

This isn't theoretical anymore. Between npm typosquatting campaigns, PyPI credential theft, and now AUR PKGBUILD poisoning, supply chain attacks have become an operational reality for anyone who installs community-maintained packages.

What Arch Users Should Do

If you've installed AUR packages recently, assume compromise until verified:

1. Audit foreign packages: Run pacman -Qm to list all packages installed from outside official repositories
2. Review PKGBUILD history: Check the git log for any packages you've installed recently—look for changes from unfamiliar maintainers
3. Rotate all credentials: GitHub tokens, SSH keys, Vault tokens, cloud API keys, browser sessions
4. Scan for rootkit indicators: Run rkhunter or chkrootkit, though eBPF rootkits may evade these tools
5. Enable PKGBUILD review: Configure your AUR helper to always show PKGBUILD diffs before installation

Given the rootkit's ability to persist at the kernel level and hide from process monitors, Arch Linux's mitigation guidance recommends reinstalling from scratch if you suspect compromise. The stealth capabilities make post-infection cleanup unreliable.

For ongoing protection, consider monitoring the AUR mailing list and Arch security advisories. The community has published affected package lists that continue to be updated as the investigation progresses.