“Atomic Arch”: Nearly 900 AUR Packages Backdoored with an Infostealer and eBPF Rootkit
An Anonymous Coward writes:
On June 11, someone going by the username arojas spent what was probably a quiet afternoon methodically adopting orphaned Arch User Repository packages and injecting them with malware. By the time the community caught on, 408 packages were already compromised. By the time this piece was being written, that number had crossed 900 and is still climbing.
Sonatype researchers have named the campaign Atomic Arch. It's one of the largest AUR supply chain incidents on record, and the technical sophistication of the payload puts it well beyond your average package repository drive-by.
To understand how this happened, you need to know one specific thing about how the AUR works: anyone can adopt an orphaned package. When a maintainer abandons a project, the package gets marked unmaintained and becomes fair game. Any AUR account can submit a change to the PKGBUILD and associated install scripts. There's no review gating, no vouching system, no delay period.
Sonatype researchers specifically characterized the Atomic Arch campaign as a deliberate strategy of targeting orphaned, trusted packages with existing install bases and maximizing victim reach while minimizing scrutiny.
The attacker automated the hunt. That's not speculation - automating orphaned package discovery is already a known practice in the AUR community, used legitimately by maintainers who want to rescue useful packages. Whoever ran this operation turned that same automation malicious. Additional attacker accounts custodiatovar and veramagalhaes were later identified as having taken over further orphaned packages, which means this wasn't just one person, it was a coordinated multi-account operation.
Read more of this story at SoylentNews.