{
  "title": "Atomic Arch: AUR Package Takeover Delivers Infostealers and eBPF Rootkits",
  "summary": "Attackers adopted orphaned Arch User Repository (AUR) packages using forged commit signatures to inject npm and bun dependency executions. The rogue packages 'atomic-lockfile' and 'js-digest' delivered a Rust credential stealer, systemd persistence, and an eBPF rootkit.",
  "date": "2026-06-12",
  "severity": "critical",
  "tags": [
    "aur",
    "arch",
    "npm",
    "bun",
    "ebpf",
    "rootkit",
    "credential-theft",
    "infostealer"
  ],
  "sources_count": 6,
  "indicators": {
    "slug": "atomic-arch-aur-compromise",
    "since": "2026-06-09T00:00:00Z",
    "until": "2026-06-13T00:00:00Z",
    "ecosystem": "aur, arch, npm, bun",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "atomic-lockfile",
      "js-digest"
    ],
    "versions": [
      "atomic-lockfile@1.4.2",
      "js-digest@1.0.0"
    ],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      "/sys/fs/bpf/hidden_pids",
      "/sys/fs/bpf/hidden_names",
      "/sys/fs/bpf/hidden_inodes",
      "/usr/bin/monero-wallet-gui",
      "~/.npm/_cacache/",
      "~/.bun/install/cache/",
      "deps",
      "src/hooks/deps"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion",
      "temp.sh"
    ],
    "urls": [
      "olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion/bin/linux",
      "olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion/bin/sha256/linux",
      "https://temp.sh/upload"
    ],
    "ips": [],
    "hashes": [
      "6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b",
      "7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316",
      "47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}