Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware
Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware
https://hackread.com/atomic-arch-hijacks-linux-aur-packages-malware/
Publish Date: 2026-06-12 14:17:00
Source Domain: hackread.com
Research firm Sonatype has discovered a malicious campaign targeting Linux systems in an entirely different way. Hackers are exploiting a vulnerability in the open-source ownership transfer process to deliver malware.
The campaign is dubbed “Atomic Arch” as it targets the Arch User Repository (AUR), an online platform where community members maintain installation files for different software packages. When a developer walks away from a project, it becomes an orphaned package.
This means another user can request ownership and take over legitimate abandoned projects. And, because the package keeps its original name and trusted history, unsuspecting users end up downloading malicious updates without suspecting any danger.
According to researchers, more than 20 AUR packages have already been compromised. Sonatype has shared the technical details of this ongoing software supply chain attack with Hackread.com.
Inside the Attack Chain
Sonatype engineer Eyad Hasan first flagged the issue, and subsequent investigation revealed that the threat actors don’t actually alter the original application source code. They rewrite the build instructions inside a configuration file called the PKGBUILD.
When a user installs or updates the software, a modified post-install script automatically runs the command npm install atomic-lockfile minimist chalk.
This forces the computer to get a malicious dependency called atomic-lockfile, the primary malware package used in this attack, from the public npm registry. Researchers noted that the hijacked package itself looks perfectly clean.
That’s why standard signature-based security tools fail to successfully flag the threat. Sonatype Research Labs is tracking this specific atomic-lockfile dependency under the reference Sonatype-2026-003775, giving the threat a high-severity CVSS score of 8.7.
Advanced Stealth Techniques
Sonatype researcher Adam Reynolds analysed the atomic-lockfile package and…
