Deps credential stealer in hijacked Arch AUR builds
Malware Activity
Summary
Hide ▲
Show ▼
Atomic Arch is a malware activity that hijacked more than 400 Arch User Repository (AUR) packages on or after June 11 and rewrote their build scripts to run npm install atomic-lockfile during builds, delivering a Rust credential stealer through the AUR build path. The deps payload targets developer workstations and build systems, steals browser cookies, SSH keys, GitHub/npm tokens, and other secrets, exfiltrates data to temp.sh, and can add systemd persistence plus an optional eBPF rootkit when it has root. The official Arch repositories were not affected, and confirmed examples include alvr and premake-git.
Related Happenings
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
How related:
Sonatype, which named the campaign Atomic Arch, found them going after orphaned projects: packages whose maintainers had walked away, leaving them open for anyone to adopt.
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignHow related: Sonatype, which named the campaign Atomic Arch, found them going after orphaned projects: packages whose maintainers had walked away, leaving them open for anyone to adopt.
About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
How related:
That package, [email protected], carries a preinstall hook that runs a bundled Linux ELF named deps. Build the package, and the binary runs.
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityHow related: That package, [email protected], carries a preinstall hook that runs a bundled Linux ELF named deps. Build the package, and the binary runs.
About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Timeline
-
12.06.2026 22:24 3 articles · 1h ago
Sonatype tracks Atomic Arch after more than 400 AUR packages are hijacked
Initial DisclosureSonatype names the campaign Atomic Arch, says more than 400 AUR packages were hijacked, notes that confirmed examples include alvr and premake-git, and states that the affected list remains incomplete with no CVE assigned and a CVSS 8.7 tracking label.
Show sources
- 400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer — thehackernews.com — 12.06.2026 22:24
- 400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer — thehackernews.com — 12.06.2026 22:24
- Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit — thehackernews.com — 12.06.2026 22:33