Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm Dependencies

Confirmed
Discovered Jun 12, 2026

Attackers adopted orphaned AUR projects and changed PKGBUILDs to install malicious npm dependencies that execute a native Linux payload.

3
Affected Packages
5
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
atomic-lockfile, js-digest, lockfile-js
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
npm install atomic-lockfile
PKGBUILD
atomic-lockfile
bun install
package[.]json

Analysis

Executive Summary

Attackers adopted orphaned AUR projects and changed PKGBUILDs to install malicious npm dependencies that execute a native Linux payload. [1]

Sonatype reports modified AUR PKGBUILDs invoking npm to install atomic-lockfile, with later js-digest and lockfile-js activity. Its update says early reporting may put affected AUR packages around 1,500, but the investigation and count remain fluid. The Arch Linux mailing-list thread and aur-malware-check repository provide ecosystem response and a static checking aid. [1]

Key Facts

Analysis table
FactValue
Affected Artifactatomic-lockfile, js-digest, lockfile-js
Ecosystemaur, npm
Malicious VersionsPublic source inventory is dynamic or exact versions were not reproduced here
Exposure WindowOngoing as of 2026-06-12
Immediate ActionPreserve evidence, isolate systems where execution occurred, and rotate exposed secrets from a clean host

Evidence Assessment

Analysis table
AssessmentClaimEvidence
Confirmed by reportingmodified PKGBUILD installs an npm dependency; npm preinstall executes a bundled native Linux executableSource 1
Confirmed by reportingmodified AUR build instructions; npm preinstall execution; native Linux payload with eBPF/libbpf referencesSource 1
UnclearComplete victim count, exact exposure per organization, and exhaustive version listNot established by the supplied sources

Impact Determination

Analysis table
Exposure ClassificationCriteriaRequired EvidenceRequired ActionClosure Gate
Confirmed compromisePayload execution or matching malicious artifact/process/network evidenceHost timeline, dependency metadata, process and network logsIsolate, preserve, rebuild, rotate exposed credentialsKnown-good rebuild plus negative hunts and downstream identity audit
Exposure onlyAffected selector present but no execution evidenceLockfile/repository history and installation logsQuarantine artifact and investigateDocumented non-execution determination

Minimum Evidence To Collect

  • Dependency and repository records: collect lockfiles, package caches, Git history, release metadata, and CI logs to establish whether an affected selector reached the environment.
  • Endpoint evidence: collect process trees, shell history, EDR telemetry, persistence records, and network logs to distinguish dependency presence from payload execution.
  • Identity evidence: collect repository, registry, cloud, and secret-access audit logs because developer execution can expose tokens available to the process.

Timeline

  • 2026-06-12 UTC: Supplied research was published or updated; exact malicious publication times remain in the source's evolving inventory. [1]

What Happened

Sonatype reports modified AUR PKGBUILDs invoking npm to install atomic-lockfile, with later js-digest and lockfile-js activity. Its update says early reporting may put affected AUR packages around 1,500, but the investigation and count remain fluid. The Arch Linux mailing-list thread and aur-malware-check repository provide ecosystem response and a static checking aid. [1]

Initial Access

Sonatype reports modified AUR PKGBUILDs invoking npm to install atomic-lockfile, with later js-digest and lockfile-js activity. Its update says early reporting may put affected AUR packages around 1,500, but the investigation and count remain fluid. The Arch Linux mailing-list thread and aur-malware-check repository provide ecosystem response and a static checking aid. [1]

Execution Trigger

Modified pkgbuild installs an npm dependency; npm preinstall executes a bundled native linux executable. [1]

Payload Behavior

Reported behaviors include modified AUR build instructions; npm preinstall execution; native Linux payload with eBPF/libbpf references. [1]

Credential or Data Collection

Treat credentials accessible to an executed developer process as potentially exposed. This is a response assumption, not proof that every listed credential was collected.

Defense Evasion

The supplied reporting describes techniques intended to hide malicious changes or execution in trusted developer workflows. [1]

Exfiltration and Command and Control

Use the machine-readable profile only for sourced infrastructure. Absence of an IOC here does not establish absence of network activity.

Affected Assets and Blast Radius

Prioritize developer workstations, CI runners, repositories, package caches, and credentials present during execution. Presence alone is exposure; execution evidence raises the case to confirmed compromise.

Indicators of Compromise

See iocs.json; prose intentionally avoids presenting source/advisory URLs as attacker IOCs.

Detection and Hunting

Run scripts/hunt_atomic_arch_aur_compromise.py PATH. It recursively scans exported text, JSON, CSV, lockfiles, and logs for the incident-specific selectors embedded in the script. A match is a triage lead, not proof. False positives include documentation or threat-intelligence records. Escalate matches by preserving the file and correlating timestamps with process/network telemetry.

Downstream Abuse Audits

If execution is confirmed, audit repository token use, package publication, CI workflow changes, cloud sessions, and newly created credentials from the first possible exposure time. Rotate secrets from a clean host.

Remediation and Recovery Gates

  1. Preserve dependency, repository, endpoint, and identity evidence before cleanup.
  2. Stop package installation and isolate systems with execution evidence.
  3. Revoke active sessions and rotate process-accessible credentials from a clean machine.
  4. Remove malicious artifacts, inspect persistence, and rebuild confirmed-compromised systems.
  5. Restore only verified releases and lockfiles; require review of developer-task configuration and repository history.
  6. Audit downstream repository, registry, CI, and cloud activity.
  7. Close only after negative hunts, verified rebuilds, completed credential decisions, and a documented UTC incident timeline.

Open Questions

  • Which exact versions and release timestamps intersect the organization's dependency history?
  • Did the payload execute, and which credentials were present?
  • Are additional artifacts still being added to the source's live inventory?

Timeline

3 of 3 rows

Timeline
DateEventDescriptionSource
Jun 12, 2026DiscoveryDiscovery recorded for Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm Dependencies.Sonatype
Jun 12, 2026DisclosureDisclosure recorded for Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm Dependencies.Sonatype
Jun 12, 2026Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm DependenciesUnknownSonatype

Affected Software

3 of 3 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
atomic-lockfileaurunknownMalicious90%Sonatype; lists.archlinux.org; GitHub
js-digestaurunknownMalicious90%Sonatype; lists.archlinux.org; GitHub
lockfile-jsaurunknownMalicious90%Sonatype; lists.archlinux.org; GitHub

IOC Clipboard

5 IOCs
commandnpm install atomic-lockfile
file_pathPKGBUILD
commandatomic-lockfile
commandbun install
file_pathpackage.json

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm Dependencies evidence scopePythonDo exported repository, dependency, endpoint, or network records contain incident selectors?scripts/hunt_atomic_arch_aur_compromise.py opens in a new tabSonatype

Hunt Manifest: Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm Dependencies evidence scope

Title
Atomic Arch Hijacks Orphaned AUR Packages to Install Malicious npm Dependencies evidence scope
Question
Do exported repository, dependency, endpoint, or network records contain incident selectors?
Telemetry Family
Python
Repository
scripts/hunt_atomic_arch_aur_compromise.py
Show tested hunting scriptscripts/hunt_atomic_arch_aur_compromise.py
scripts/hunt_atomic_arch_aur_compromise.py opens in a new tabPython
#!/usr/bin/env python3
"""Static scanner for atomic-arch-aur-compromise; never executes artifacts."""
import pathlib,sys,json
SELECTORS=['PKGBUILD', 'atomic-lockfile', 'atomic-lockfile unknown', 'bun install', 'js-digest', 'js-digest unknown', 'lockfile-js', 'lockfile-js unknown', 'npm install atomic-lockfile', 'package.json']
def scan(root):
 out=[]
 for p in pathlib.Path(root).rglob('*'):
  if not p.is_file(): continue
  try: text=p.read_text(errors='ignore').lower()
  except OSError: continue
  hits=[s for s in SELECTORS if s.lower() in text]
  if hits: out.append({'path':str(p),'selectors':hits})
 return out
if __name__=='__main__':
 if len(sys.argv)!=2: raise SystemExit('usage: hunt_atomic_arch_aur_compromise.py PATH')
 hits=scan(sys.argv[1]); print(json.dumps(hits,indent=2)); raise SystemExit(2 if hits else 0)

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
SonatypeSecurity Researcher95%1Attackers adopted orphaned AUR projects and changed PKGBUILDs to install malicious npm dependencies that execute a native Linux payload.
lists.archlinux.orgSecurity Researcher95%1Attackers adopted orphaned AUR projects and changed PKGBUILDs to install malicious npm dependencies that execute a native Linux payload.
GitHubSecurity Researcher95%1Attackers adopted orphaned AUR projects and changed PKGBUILDs to install malicious npm dependencies that execute a native Linux payload.