malware npm
atomic-lockfile
discovered 2026-06-11Second-stage npm package pulled by 400+ trojanized AUR PKGBUILDs in the Atomic Arch campaign. Carries a preinstall hook (./src/hooks/deps) that executes a 3,040,376-byte stripped Rust-async Linux ELF64 (PIE) infostealer with an eBPF kernel rootkit (scales.bpf.c), Tor hidden-service C2, systemd persistence, and a secondary suspected-cryptominer payload. Same atomic-* naming and implant tradecraft as IronWorm's atomic-notes.
Threat types
credential_stealer c2_agent persistence data_exfiltration other
Malicious versions
- 1.4.2
Campaigns
Indicators
- domain olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onioncommunicates-with
- url https://temp.shexfiltrates-to
- sha256 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98bindicates
- md5 42b59fdbe1b72895b2951412222ebf40indicates
- sha256 47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204drops
- file_path src/hooks/depsindicates
- file_path scales.bpf.cindicates
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.004 Command and Scripting Interpreter: Unix Shelluses
- ttp T1036 Masqueradinguses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1014 Rootkituses
- ttp T1562.001 Impair Defenses: Disable or Modify Toolsuses
- ttp T1622 Debugger Evasionuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1090.003 Proxy: Multi-hop Proxyuses
- ttp T1567.002 Exfiltration to Cloud Storageuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1496 Resource Hijackinguses
