Atomic Arch

June 2026 supply chain attack against the Arch User Repository (AUR), named 'Atomic Arch' by Sonatype. Attackers adopted 400+ orphaned AUR packages (byteiota counts 408; community lists consolidate ~588) via AUR's standard adoption process and impersonated a trusted maintainer (account arojas, with krisztinavarga and wave-2 accounts custodiatovar/veramagalhaes), then poisoned each PKGBUILD so the build run by yay/paru pulls a malicious npm package ([email protected]) or, in a later variant, js-digest via bun (publisher herbsobering). The npm preinstall hook (./src/hooks/deps) executes a stripped Rust-async Linux ELF infostealer carrying an eBPF kernel rootkit (scales.bpf.c, hooks getdents64 to hide PIDs/files/sockets), Tor hidden-service C2 (olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion, /api/agent) with temp.sh fallback, broad developer-secret + browser harvesting, systemd persistence, and a secondary suspected-cryptominer payload. Assessed HIGH confidence as the same operator/toolkit as IronWorm (shared Rust-async ELF + eBPF rootkit + Tor /api/agent + temp.sh tradecraft and shared atomic-* npm naming), re-targeting the Arch ecosystem via the distro build pipeline. Sonatype-2026-003775, CVSS 8.7.