Beginning around June 11, 2026, an attacker
mass-adopted more than 400 orphaned packages in
the Arch User Repository (AUR) and edited their
PKGBUILD / .install files to run a
malicious post-install hook. The hook pulls a rogue npm package
(atomic-lockfile; a later, separately reported wave
used js-digest via Bun) whose bundled native Linux
binary is both a credential infostealer and an
eBPF rootkit that hides its own processes, files,
and network connections. Because the AUR .install
hook executes under pacman as root,
the rootkit path can run with kernel-level privilege on any host
that installed or rebuilt an affected package during the window.
Sonatype, which named the campaign "Atomic Arch,"
tracks it as Sonatype-2026-003775 (CVSS 8.7); there is no CVE. The
official Arch [core]/[extra] repositories
are not affected, only the user-contributed AUR.
Arch staff removed the malicious commits around 17:30 UTC
on June 12 and banned the accounts, but if any of your
machines pulled an affected AUR package in the window, the most
urgent actions are: confirm which packages, rotate every
credential the host could reach, and plan to reinstall,
because an eBPF rootkit can survive ordinary cleanup.
Framing note: this is a compromise of a
community package repository, not a vulnerability in Arch Linux,
pacman, or any single application, and there is no
CVE or vendor patch to apply. The affected population is
"machines that installed or updated an AUR package via an AUR
helper (yay, paru, aurutils, or manual makepkg -si)
during the June 11 to 12 window," which in practice includes
Arch and Arch-derived distributions (CachyOS, EndeavourOS,
Manjaro, and similar) that consume the AUR. The IOCs below come
from community incident tracking and named-research analysis;
where a hash or a count is sourced from secondary reporting
rather than a single primary advisory, that is flagged inline.
Three things make this worse than the average npm/PyPI
credential-stealer. First, the payload runs as
root: an AUR package's install hook executes inside
pacman's privileged transaction, so the malware
does not need a separate privilege-escalation step to load its
eBPF rootkit. Second, that rootkit is built to hide
itself, hooking getdents64() and pinning
eBPF maps named hidden_pids,
hidden_names, and hidden_inodes to
conceal processes, files, and network interfaces, so a quick
ps / ls / ss glance can
come back clean on a compromised box. Third, the
infostealer is broad: it targets GitHub credentials,
SSH keys, HashiCorp Vault tokens, browser cookie and credential
stores (Chromium and Firefox), Slack / Discord / Microsoft Teams
/ Telegram session data, environment variables, and
cryptocurrency wallet material, then exfiltrates over an HTTP
POST /upload, with reporting indicating the C2 path
runs over Tor. AUR has no pre-publication malware review and the
orphan-adoption process is self-service, which is exactly the
soft spot this campaign aimed at. Treat any host that installed
or rebuilt an affected AUR package during the incident window
(roughly June 11 through the June 12 removal) as compromised
until proven otherwise.
cscs.pastes.sh is
community-maintained, dated to the June 11 snapshot, and may be
incomplete or change. The exact total has been reported as 400
to 408+; Sonatype's deep-dive directly analyzed a smaller subset
(about 20 packages) while the AUR-wide count is the
community-tracked figure.
Priorities, by environment
Triage hinges on one question: did this host install or rebuild
an AUR package via an AUR helper or makepkg during
the June 11 to 12 window? Pulling official-repo updates with
pacman -Syu alone does not expose you. The affected
population is AUR users specifically.
| Priority | Workload | Why |
|---|---|---|
| Highest | Developer / build / CI hosts that installed or rebuilt any AUR package in the window and hold cloud, Git, Vault, or signing credentials | The root-level install hook plus the infostealer's GitHub / SSH / Vault / cloud focus means these hosts are the campaign's intended catch. Assume credentials are stolen and the eBPF rootkit is resident. Engage IR if this is a build host whose output ships to others. |
| Higher | Shared or multi-user Arch / Arch-derived workstations using the AUR (CachyOS, EndeavourOS, Manjaro, etc.) | A single rooted host with a hidden rootkit endangers every account and credential cached on it. Arch-derived distros consume the same AUR, so "I run CachyOS, not Arch" is not a reason to skip the check. |
| Medium | Single-user Arch desktops that use the AUR but did not install/update in the window | Lower likelihood, but confirm rather than assume: check your pacman.log dates and run the affected-package cross-reference below. If clean for the window, you are most likely unaffected. |
| Lower | Systems that only use official repos (pacman -Syu), or non-Arch systems |
The official Arch [core] / [extra] repositories were not touched. If you never use the AUR, you are not in scope for this incident. Verify you have no foreign packages with pacman -Qm. |
Categorization source: Bulletin's framing, based on the campaign's root-level execution path and the infostealer's documented credential targets. It is not an Arch-issued or Sonatype-issued priority schema.
Am I affected?
The eBPF rootkit's whole purpose is to make a compromised
machine look clean to the usual tools. It hooks
getdents64() and keeps allow-lists of hidden PIDs,
filenames, and inodes, so ls, ps,
ss, and even find can return nothing
unusual on a box that is fully owned. The signals the reported
hiding mechanism does not directly conceal are: its own eBPF
objects (visible to bpftool, which reads from the
kernel directly); the local pacman.log install
record (local and root-alterable, so a useful but not
tamper-proof signal); and genuinely off-host telemetry (network
logs from a router or firewall outside the rooted machine), the
one signal a host-resident implant cannot reach. Lead with
those.
Step 1: Did you install or rebuild an AUR package in the window?
List foreign (AUR) packages, then check the pacman
log for installs or upgrades on June 11 to 12:
pacman -Qm grep -E '^\[2026-06-1[12]T.*\] \[ALPM\] (installed|upgraded|reinstalled) ' /var/log/pacman.log
The reinstalled action matters here: an AUR rebuild
of an already-present package logs as a reinstall, not an upgrade.
Note this lists all pacman transactions, not AUR ones
specifically, so cross-reference any package it names against your
pacman -Qm foreign set. If nothing in your AUR set was
touched in that window, your exposure is low. If something was,
continue.
Step 2: Cross-reference your AUR packages against the affected list
Intersect your locally installed foreign packages with the community-maintained affected-package list. Download the list first (so a fetch failure cannot masquerade as "no matches"), then intersect it with your foreign packages. This needs a shell with process substitution (Bash or Zsh):
curl -fsSL https://cscs.pastes.sh/raw/aurvulnlist20260611.txt -o /tmp/aurvuln.txt && wc -l /tmp/aurvuln.txt comm -12 <(pacman -Qqm | sort) <(sort /tmp/aurvuln.txt)
Confirm the download succeeded (a non-zero line count, one package
name per line) before trusting an empty comm result;
curl failing silently would otherwise leave you with
a false all-clear. Even with a good download, an empty result is
reassuring but not absolute: the list is a community snapshot
dated June 11 and may not capture every adopted package or the
later js-digest activity. Treat the list as a
high-confidence positive signal, not an exhaustive negative.
Step 3: Look for the rootkit's eBPF objects directly
bpftool reads loaded eBPF state from the kernel and
is not subject to the getdents64() hook. The named
maps are the tell:
sudo bpftool map list | grep -E 'hidden_pids|hidden_names|hidden_inodes' sudo bpftool prog list
Do not redirect stderr away here: a missing binary, a sudo
failure, or a kernel error would otherwise look identical to "no
matching maps." Run the commands bare, read any error, and only
treat a clean, error-free run with no hidden-* map as a negative.
Any hit on the hidden-* map names is high-confidence compromise.
bpftool ships in the bpf package
(sudo pacman -S --needed bpf) if it is not already
present. Even an error-free empty result does not fully clear the
host: the rootkit loads only when the install hook ran as root,
and absence of the maps now could also mean the implant has not
loaded in the current boot.
Step 4: Hunt the install-time artifacts
Check the AUR helper build caches and any Node/Bun artifacts for the malicious package names and hook strings:
grep -rlE 'atomic-lockfile|js-digest|herbsobering' ~/.cache/yay ~/.cache/paru ~/.cache/aurutils sudo find / -xdev -type d \( -name atomic-lockfile -o -name js-digest \) sudo find / -xdev -name deps -type f
Scope caveats: the grep covers only those three
candidate AUR-helper cache locations, so add any manual
makepkg build directory you use (and note unreadable
or nonexistent paths are silently skipped). find -xdev
stays on one filesystem, so re-run it per mount if
/home or others are separate mounts, and use
sudo so root-owned paths are not missed.
deps is a common filename, so treat a bare
deps hit as a lead to investigate, not proof. A
community detection script (Kidev) bundles similar checks; review
it before running, as with any remote script:
https://gist.github.com/Kidev/59bf9f5fb53ab5eee99f19a6a2fc3992.
Remember the rootkit may hide on-disk paths from
find, so a negative file search is weaker evidence
than the bpftool and pacman.log checks.
Response, if a host installed an affected package in the June 11 to 12 window
-
Isolate the host. Take it off the network or
restrict outbound traffic, ideally at a router or firewall
outside the machine, since on-host firewall state can
be tampered with by a root implant. Do not start deleting
packages yet if you want triage artifacts; capture the
pacman.log, thebpftooloutput, and the build caches first. -
Establish the credential blast radius and rotate
everything reachable. The infostealer specifically
goes after GitHub credentials, SSH keys
(
~/.ssh), HashiCorp Vault tokens (~/.vault-token,VAULT_TOKENin env), cloud CLI material (~/.aws,~/.config/gcloud,~/.azure,~/.kube), browser cookie and password stores, Slack / Discord / Teams / Telegram sessions, environment variables, and crypto wallets. Rotate or revoke all of it: GitHub PATs and SSH keys, cloud keys, Vault tokens, npm tokens, browser-saved passwords, and move any wallet funds to a fresh wallet generated on a clean device. -
Confirm the rootkit before you trust any local
scan. Run the
bpftool map list/prog listchecks from a root shell. If thehidden_*maps are present, you have a confirmed kernel-resident implant and should go straight to reinstall (step 6); piecemeal cleanup of an eBPF rootkit is not reliable. -
Remove the malicious AUR packages and any Node/Bun
residue. Identify affected packages from step 2 and
remove them with
sudo pacman -Rns -- package-name(substitute the real package name; the--stops flag parsing). Delete theatomic-lockfile/js-digestnode_modules and Bun caches the build pulled. If you intend to reinstall a package later, rebuild from a known-clean upstream PKGBUILD you have reviewed, not from the AUR copy that was live during the window. - Block the exfil path at the network edge. Reporting indicates the C2 ran over Tor, so blocking outbound Tor at your router or firewall (and watching for connections to Tor guard nodes in egress logs) is a reasonable network-side containment while you remediate hosts. This does not clean an infected machine; it limits ongoing exfiltration.
- Reinstall from scratch where the rootkit is confirmed or the host's role warrants it. An eBPF rootkit with process/file/inode hiding can survive ordinary package removal and signature scans. For any host that held real credentials, build/CI duties, or sensitive data, the defensible move is wipe and reinstall from trusted media, then restore data (not binaries) from a backup that predates June 11. Re-enroll rotated credentials only after the rebuild.
-
Pause AUR updates until the all-clear, and re-examine
your AUR hygiene. Until the aur-general thread reports
the cleanup complete, stick to official-repo updates
(
pacman -Syu) and hold off on AUR rebuilds. When you resume, enable your AUR helper's diff review (yay--editmenu/--diffmenu, paru's review prompt) so PKGBUILD and.installchanges are shown before they run, and be wary of packages whose maintainer or upstream changed recently. This campaign worked precisely because adopted-orphan PKGBUILD edits run unreviewed by default. -
Document the timeline. Record which hosts
installed which packages when, what was rotated, and what was
reimaged. As of June 12, 2026 the community list and the
named-package set were still being updated, and a later
js-digestwave was reported, so re-check the primary sources as more package names surface.
There is no CVE and no single vendor advisory; the authoritative
record is the aur-general mailing list thread plus community IOC
tracking, which is still being updated. The exact final count of
compromised packages (reported between 400 and 408+), the
complete package list, and the full set of exfiltration
endpoints are not finalized. The two file hashes here are from
secondary reporting and should be verified against your own
samples. No actor attribution is asserted. The relationship
between the atomic-lockfile wave and the later
Bun/js-digest wave (and any link to separately
reported "atomic-notes" / IronWorm npm activity) is not
confirmed. This guide will read stale quickly; check the primary
sources for the current package list before acting on the
snapshot here.
The broader pattern
This is the same supply-chain quarter the Bulletin has been tracking, but it moves the attack one rung closer to the developer's own machine. The npm / PyPI campaigns (TrapDoor, PyTorch Lightning, Bitwarden CLI, xinference) poisoned language-registry distribution. The DAEMON Tools compromise poisoned vendor-direct binary distribution. Atomic Arch poisons a community OS package repository with no pre-publication review, using account adoption rather than a stolen key. The defenses are correspondingly different: lockfile pinning and registry malware scanning do not help here, and neither does Authenticode-style publisher trust, because the AUR has no signing of user PKGBUILDs at all.
The escalation worth noting is the payload itself. Most of the
2026 registry campaigns shipped JavaScript or Python
credential-stealers that ran as the user. This one ships a native
eBPF rootkit and gets root for free because AUR install hooks run
inside pacman. "It ran as my user, I cleaned the
package, I'm fine" was a defensible read for the earlier
incidents. It is not a defensible read for a kernel-resident
rootkit on a machine that ran the hook as root. When the implant
operates below the tools you would use to find it, the honest
posture for a confirmed hit is rebuild, not scrub.
If any Arch or Arch-derived machine installed or rebuilt an AUR
package in the June 11 to 12, 2026 window: cross-reference your
pacman -Qm set against the affected list, check
bpftool map list for hidden_pids /
hidden_names / hidden_inodes, rotate
every credential the host could reach (GitHub, SSH, Vault,
cloud, browser, chat sessions, wallets) from a clean machine,
remove the affected packages, block outbound Tor at the edge,
and reinstall from scratch if the rootkit is confirmed or the
host's role warrants it. Official Arch repositories are not
affected; the AUR is. A clean ps / ls
is not proof of cleanliness when an eBPF rootkit is in play.