Atomic Arch: 400+ Arch Linux AUR Packages Hijacked to Deliver Rust 'deps' Credential Stealer with eBPF Rootkit (Sonatype-2026-003775) — Threadlinqs Intelligence
Threat ID: TL-2026-0788 · Severity: HIGH · CVSS: 8.7 · Status: ACTIVE · Category: SUPPLY_CHAIN
Attribution: Unknown (Atomic Arch operator) · FINANCIAL
Threat actors hijacked 400+ orphaned Arch User Repository (AUR) packages via AUR's legitimate package-adoption workflow, modifying PKGBUILD/install hooks to pull a malicious npm package
On 11-12 June 2026 the Arch Linux community and software-supply-chain vendor Sonatype disclosed a large-scale supply-chain compromise of the Arch User Repository (AUR), tracked by Sonatype as Sonatype-2026-003775 and named the 'Atomic Arch' campaign (CVSS 8.7, no CVE assigned).
The AUR allows community members to adopt orphaned (abandoned) packages through a normal ownership-transfer workflow. The actor(s) requested ownership of established-but-unmaintained packages and, once granted maintainer rights, modified the package build scripts. Two injection patterns were observed: (1) modified PKGBUILD files / .install post-install hooks that run 'npm install atomic-lockfile' during the build, and (2) a 'preinstall' lifecycle script in the malicious npm package pointing at './src/hooks/deps'. Git commit metadata was spoofed to appear to come from established maintainer accounts, which were confirmed never to have been compromised. Sonatype's first write-up counted ~20 hijacked packages; within a day community trackers grepping the AUR git mirror cataloged ~408, and a second wave (using 'bun install js-digest' from separate accounts) reportedly pushed the total well past 1,500 packages. Named affected packages include alvr, premake-git and monero-wallet-gui.
The payload is a 3,040,376-byte stripped Linux ELF64 (x86-64, PIE) named 'deps' (SHA-256 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b), written in Rust using async state machines. On execution it redirects stdin/stdout/stderr to /dev/null, ignores SIGPIPE, and uses flock() to enforce a single instance. It establishes a local SOCKS-style proxy on 127.0.0.1 and tunnels a POST /api/agent request to a hardcoded Tor onion C2 (olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion) whose address is XOR-obfuscated in the binary (32-byte repeating key). It downloads a Tor expert bundle and can fetch a second-stage binary from the onion '/bin/linux' path (verified via '/bin/sha256/linux').
The stealer enumerates ~27 Chromium-family browser variants (Chrome, Edge, Brave, Vivaldi, Opera, Yandex, Epic, Iridium, Thorium, etc., including Flatpak/Snap paths) for Local Storage leveldb, Network/Cookies and encrypted cookie values; 15+ Electron collaboration clients (Slack, Microsoft Teams, Discord/PTB/Canary, plus Vesktop, Legcord, WebCord, ArmCord, Vencord and others); and developer/local secrets: ~/.ssh keys and known_hosts, shell histories (bash/zsh/fish), HashiCorp Vault tokens (/.vault-token), PuTTY keys, .ovpn VPN profiles, and Docker/Podman registry credentials. It validates and enriches stolen sessions live against api.github.com, registry.npmjs.org, api.openai.com, Slack, Teams and Discord APIs through the local SOCKS layer, then exfiltrates multi-part archives to temp.sh via POST /upload.
When geteuid()==0 and /proc/self/status shows CAP_BPF and/or CAP_SYS_ADMIN in CapEff, 'deps' loads an eBPF rootkit using pinned maps /sys/fs/bpf/hidden_pids, /sys/fs/bpf/hidden_names and /sys/fs/bpf/hidden_inodes to hide PIDs from /proc, hide process names in directory listings, hide socket inodes from /proc/net/tcp and netlink diagnostics, and block ptrace attachment against hidden processes. The eBPF component cannot escalate privileges on its own. Persistence is via systemd: a generated .service unit under /etc/systemd/system/ (root) or ~/.config/systemd/user/ (non-root) with Restart=always, RestartSec=30, and the executable copied below /var/lib/. Because of the rootkit's persistence and hiding capability, responders are advised to rotate all exposed credentials and rebuild affected hosts from trusted media rather than attempt in-place cleanup.
Weaknesses (CWE)
CWE-506, CWE-829, CWE-494, CWE-1357
Target sectors: technology, software development, open source, devops
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 25 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
SUPPLY_CHAIN, HIGH, threat intelligence, cybersecurity, T1583, T1586, T1608, T1195, T1059, T1204, T1543, T1195, T1548, T1014