Atomic Arch is a major AUR supply-chain attack (over 1.5K packages affected as of now) where attackers hijacked orphaned Arch packages and used malicious install hooks to pull npm payloads that executed a Linux ELF infostealer. It targeted developer secrets like SSH keys, GitHub/npm tokens, browser sessions, Docker/Vault credentials, and chat app data, while also using an eBPF rootkit to hide itself when run as root.
The use of eBPF hooks as a rootkit is particularly insidious because it leverages the kernel’s own tracing infrastructure to hide malicious processes, effectively bypassing standard process monitoring. This supply-chain compromise highlights the critical risk of relying on unverified third-party repositories, where a single malicious hook can persist across multiple package versions and silently exfiltrate sensitive credentials.
Update: seems like there’s a 2nd wave of attack…a bit more sophisticated than the initial wave…has begun. Code is more obfuscated