Over 400 Arch Linux AUR Packages Compromised in Supply Chain Attack

A significant supply chain attack has compromised over 400 packages in the Arch User Repository (AUR), with attackers injecting malicious build scripts that deploy credential-stealing malware and rootkits. The campaign, dubbed 'Atomic Arch', was identified around June 11, 2026, and exploits the AUR's mechanism for adopting orphaned packages. Attackers spoofed trusted publishers to modify package descriptions, adding dependencies for the npm package 'atomic-lockfile', which contains a Linux ELF payload capable of stealing sensitive information. The Arch Linux community is actively working to delete malicious updates and ban the accounts involved. Users are advised to treat affected systems as compromised and to monitor for unusual activity. The incident underscores the risks associated with community-maintained repositories.

Key Points: • Over 400 Arch Linux AUR packages compromised with malware targeting credentials. • Attackers exploited orphaned packages to inject malicious npm dependencies. • Arch maintainers are conducting a large-scale deletion campaign to remove malicious updates.