INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Atomic Arch Campaign Exploits Linux AUR to Deliver Malware
| 2026-06-12 18:17 HIGH LOWExecutive Summary AI-generated
The Atomic Arch campaign is a sophisticated malware attack that targets Linux systems by exploiting vulnerabilities in the open-source ownership transfer process. This campaign, dubbed "Atomic Arch," hijacks 20+ Linux AUR (Arch User Repository) packages to deliver malicious malware. The attackers use a native Linux binary executable bundled with an atomic-lockfile package, which loads a specific code file named scales.bpf.c to gain rootkit-like powers. The attack has already compromised over 20 AUR packages, making it one of the most significant software supply chain attacks on record.
Technical Mitigations AI-generated
• Regularly update and patch Linux systems to ensure that known vulnerabilities are addressed.
• Implement a secure package management system, such as RPM or DEB, which can detect and prevent malicious packages from being installed.
• Use a combination of signature-based security tools and behavior-based detection techniques to identify potential threats in the AUR.
• Monitor system logs for suspicious activity related to package installations and updates.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign HijacksCampaign Hijacks
Target & Sectors
Global Scope
technologytechnology
Incident Timeline
2026/06/12
The threat actors used a Linux kernel technology called eBPF to deliver malware by exploiting the PKGBUILD configuration file of over 20+ Linux AUR packages.
Click on any entity below to view its context and source!
infrastructure
Linux
Triggered during a preinstall script phase inside the package.json file, this binary deploys a second-stage payload using a Linux kernel technology called eBPF.
Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware.
Research firm Sonatype has discovered a malicious campaign targeting
Linux systems
in an entirely different way.
Advanced Stealth Techniques
Sonatype researcher Adam Reynolds analysed the atomic-lockfile package and found a bundled native Linux binary executable.
organisation
Linux systems
Research firm Sonatype has discovered a malicious campaign targeting
Linux systems
in an entirely different way.
organisation
Advanced Stealth Techniques
Sonatype
Advanced Stealth Techniques
Sonatype researcher Adam Reynolds analysed the atomic-lockfile package and found a bundled native Linux binary executable.
organisation
CVSS
Sonatype Research Labs is tracking this specific atomic-lockfile dependency under the reference
Sonatype-2026-003775
, giving the threat a high-severity CVSS score of 8.7.
organisation
the Arch User Repository
The campaign is dubbed “Atomic Arch” as it targets the Arch User Repository (AUR), an online platform where community members maintain installation files for different software packages.
organisation
Hackread.com
Sonatype has shared the technical details of this ongoing
software supply chain attack
with Hackread.com.
organisation
PKGBUILD
They rewrite the build instructions inside a configuration file called the PKGBUILD.
organisation
npm
This forces the computer to get a malicious dependency called atomic-lockfile, the primary
malware package
used in this attack, from the public
npm
registry.
organisation
SSH
It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram.
organisation
HashiCorp
It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram.
organisation
Slack
It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram.
organisation
Discord
It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram.
organisation
Microsoft Teams
It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram.
organisation
Telegram
It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram.
organisation
IronWorm, Sonatype
While these methods look a lot like an older campaign called IronWorm, Sonatype has not officially linked Atomic Arch to a specific hacker group yet.
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Triggered during a preinstall script phase inside the package.json file, this binary deploys a second-stage payload using a Linux kernel technology called eBPF.
Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware.
Research firm Sonatype has discovered a malicious campaign targeting
Linux systems
in an entirely different way.
Advanced Stealth Techniques
Sonatype researcher Adam Reynolds analysed the atomic-lockfile package and found a bundled native Linux binary executable.
Intelligence Sources
HackRead
2026-06-12
HackRead
2026-06-12
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:19
Comprehensive Tactical Telemetry
Highly Correlated Entities
14x
organisation
Identified Entity
Linux systems
entity
Contextual Telemetry
Context Block
7 METRICS
industry
Targeted Sector
Technology
sector
infrastructure
Affected Product
Linux
software
campaign
Campaign
Campaign Hijacks
operation
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
general metric
Campaign Hijacks
20
campaign hijacks
vulnerability
CVSS Score
9
score
general metric
Reference Sonatype-2026
3,775
reference sonatype-2026
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.