{"campaign":{"name":"Atomic Arch","slug":"atomic-arch","href":"/ti/campaigns/atomic-arch","description":"June 2026 supply chain attack against the Arch User Repository (AUR), named 'Atomic Arch' by Sonatype. Attackers adopted 400+ orphaned AUR packages (byteiota counts 408; community lists consolidate ~588) via AUR's standard adoption process and impersonated a trusted maintainer (account arojas, with krisztinavarga and wave-2 accounts custodiatovar/veramagalhaes), then poisoned each PKGBUILD so the build run by yay/paru pulls a malicious npm package (atomic-lockfile@1.4.2) or, in a later variant, js-digest via bun (publisher herbsobering). The npm preinstall hook (./src/hooks/deps) executes a stripped Rust-async Linux ELF infostealer carrying an eBPF kernel rootkit (scales.bpf.c, hooks getdents64 to hide PIDs/files/sockets), Tor hidden-service C2 (olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion, /api/agent) with temp.sh fallback, broad developer-secret + browser harvesting, systemd persistence, and a secondary suspected-cryptominer payload. Assessed HIGH confidence as the same operator/toolkit as IronWorm (shared Rust-async ELF + eBPF rootkit + Tor /api/agent + temp.sh tradecraft and shared atomic-* npm naming), re-targeting the Arch ecosystem via the distro build pipeline. Sonatype-2026-003775, CVSS 8.7.","objective":"Compromise the AUR build pipeline at scale to deliver a native infostealer + eBPF rootkit that harvests developer/cloud/SCM/crypto credentials and establishes persistent, kernel-concealed access on Arch Linux hosts.","aliases":["AUR atomic-lockfile supply chain attack"],"discovered_at":"2026-06-11"},"packages":[{"ecosystem":"npm","name":"atomic-lockfile","href":"/ti/packages/npm/atomic-lockfile","threat_types":["credential_stealer","c2_agent","persistence","data_exfiltration","other"],"versions":["1.4.2"]},{"ecosystem":"npm","name":"js-digest","href":"/ti/packages/npm/js-digest","threat_types":["credential_stealer","data_exfiltration","other"],"versions":["*"]}],"indicators":[{"kind":"domain","value":"olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion","href":"/ti/ioc/domain/olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion","context":"Tor hidden-service C2 for the Atomic Arch implant. Beacon POST /api/agent HTTP/1.0; secondary-payload staging at /bin/linux with hash verification at /bin/sha256/linux. Onion host is XOR-obfuscated in the binary (32-byte repeating key at offset 0x1AA60, 62-byte ciphertext at 0x2DA96). Same /api/agent beacon path as IronWorm."},{"kind":"github_repo","value":"fardewoak/nodejs-argo","href":"/ti/ioc/github_repo/github_repo-8b70ca5c56ec","context":"GitHub repo hosting a container image (ghcr.io herbsobering430) tied to the npm publisher herbsobering; appears to be reverse-shell / proxy tooling associated with the Atomic Arch operator."},{"kind":"url","value":"https://temp.sh","href":"/ti/ioc/url/url-0c6e64b7ce44","context":"Fallback exfiltration host (public file-sharing service), reached over Tor via POST /upload when the primary Tor hidden-service C2 is unavailable. Same fallback as IronWorm."},{"kind":"sha256","value":"6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b","href":"/ti/ioc/sha256/6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b","context":"Dropper ELF inside atomic-lockfile@1.4.2 (./src/hooks/deps). Stripped Rust-async Linux ELF64 PIE, entry 0xeae00, 3,040,376 bytes. MD5 42b59fdbe1b72895b2951412222ebf40."},{"kind":"md5","value":"42b59fdbe1b72895b2951412222ebf40","href":"/ti/ioc/md5/42b59fdbe1b72895b2951412222ebf40","context":"MD5 of the atomic-lockfile dropper ELF (./src/hooks/deps)."},{"kind":"sha256","value":"47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204","href":"/ti/ioc/sha256/47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204","context":"Secondary payload fetched from the Tor C2 at /bin/linux (verified against /bin/sha256/linux). Suspected cryptominer; detection hint is modification of /usr/bin/monero-wallet-gui."},{"kind":"file_path","value":"src/hooks/deps","href":"/ti/ioc/file_path/file_path-88f984d402a7","context":"Path of the Rust-async ELF infostealer dropper inside the atomic-lockfile npm tarball; invoked by the package.json preinstall hook (preinstall: ./src/hooks/deps)."},{"kind":"file_path","value":"scales.bpf.c","href":"/ti/ioc/file_path/file_path-777c40b68e33","context":"eBPF rootkit component source filename. Hooks getdents64() to hide PIDs from /proc, filenames from directory listings, and socket inodes from /proc/net/tcp + netlink (NETLINK_SOCK_DIAG). Pinned BPF maps /sys/fs/bpf/hidden_pids, /sys/fs/bpf/hidden_names, /sys/fs/bpf/hidden_inodes. Kills ptrace (PTRACE_ATTACH/PTRACE_SEIZE). IronWorm equivalent was q2.bpf.c."},{"kind":"sha256","value":"7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316","href":"/ti/ioc/sha256/7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316","context":"Linux ELF payload embedded in the js-digest npm package (Atomic Arch wave-2 / bun-delivered variant)."}],"ttps":[{"name":"Compromise Software Supply Chain","mitre_attack_id":"T1195.002","href":"/ti/ttps/T1195.002"},{"name":"Command and Scripting Interpreter: Unix Shell","mitre_attack_id":"T1059.004","href":"/ti/ttps/T1059.004"},{"name":"Masquerading","mitre_attack_id":"T1036","href":"/ti/ttps/T1036"},{"name":"Obfuscated Files or Information","mitre_attack_id":"T1027","href":"/ti/ttps/T1027"},{"name":"Rootkit","mitre_attack_id":"T1014","href":"/ti/ttps/T1014"},{"name":"Impair Defenses: Disable or Modify Tools","mitre_attack_id":"T1562.001","href":"/ti/ttps/T1562.001"},{"name":"Debugger Evasion","mitre_attack_id":"T1622","href":"/ti/ttps/T1622"},{"name":"Create or Modify System Process: Systemd Service","mitre_attack_id":"T1543.002","href":"/ti/ttps/T1543.002"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"},{"name":"Browser Information Discovery","mitre_attack_id":"T1217","href":"/ti/ttps/T1217"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Proxy: Multi-hop Proxy","mitre_attack_id":"T1090.003","href":"/ti/ttps/T1090.003"},{"name":"Exfiltration to Cloud Storage","mitre_attack_id":"T1567.002","href":"/ti/ttps/T1567.002"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Resource Hijacking","mitre_attack_id":"T1496","href":"/ti/ttps/T1496"}],"related_campaigns":[{"name":"IronWorm","slug":"ironworm","href":"/ti/campaigns/ironworm","relationship":"variant-of"}],"reports":[{"title":"400+ AUR Packages Compromised with Infostealer and Rootkit","url":"https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577","published_at":"2026-06-11"}]}