beanburrito
Active Member
As mentioned (but maybe overlooked by users) here, here, and here.
There's a great write up about it here:
thecybersecguru.com
"On June 11, someone going by the username arojas spent what was probably a quiet afternoon methodically adopting orphaned Arch User Repository packages and injecting them with malware. By the time the community caught on, 408 packages were already compromised. By the time this piece was being written, that number had crossed 900 and is still climbing.
Sonatype researchers have named the campaign Atomic Arch. It’s one of the largest AUR supply chain incidents on record, and the technical sophistication of the payload puts it well beyond your average package repository drive-by."
"If you’re not on Arch Linux, you’re not affected."
= Sections include:
How It Started: AUR’s Orphan Adoption Policy
The Infection Chain: How a PKGBUILD Becomes a Backdoor
The Payload: Meet deps
What it steals
Persistence: How It Digs In
The eBPF Rootkit: Why This Is Serious
Command and Control: Tor Onion Service
Threat Actor Infrastructure
Comprehensive Analysis
Detection & Response Guidance
What You Need to Do Right Now
The Bigger Picture
Hacker News Discussion
There's a great write up about it here:
Atomic Arch: 900+ AUR Packages Backdoored with eBPF RootkitCopy | The CyberSec Guru
On June 11, 2026, the Atomic Arch supply chain attack backdoored 900+ Arch Linux AUR packages with the 'deps' infostealer and an eBPF rootkit
thecybersecguru.com
"On June 11, someone going by the username arojas spent what was probably a quiet afternoon methodically adopting orphaned Arch User Repository packages and injecting them with malware. By the time the community caught on, 408 packages were already compromised. By the time this piece was being written, that number had crossed 900 and is still climbing.
Sonatype researchers have named the campaign Atomic Arch. It’s one of the largest AUR supply chain incidents on record, and the technical sophistication of the payload puts it well beyond your average package repository drive-by."
"If you’re not on Arch Linux, you’re not affected."
= Sections include:
How It Started: AUR’s Orphan Adoption Policy
The Infection Chain: How a PKGBUILD Becomes a Backdoor
The Payload: Meet deps
What it steals
Persistence: How It Digs In
The eBPF Rootkit: Why This Is Serious
Command and Control: Tor Onion Service
Threat Actor Infrastructure
Comprehensive Analysis
Detection & Response Guidance
What You Need to Do Right Now
The Bigger Picture
Hacker News Discussion
Last edited:
