Research firm Sonatype has discovered a malicious campaign targeting Linux systems in an entirely different way. Hackers are exploiting a vulnerability in the open-source ownership transfer process to deliver malware.
The campaign is dubbed “Atomic Arch” as it targets the Arch User Repository (AUR), an online platform where community members maintain installation files for different software packages. When a developer walks away from a project, it becomes an orphaned package.
This means another user can request ownership and take over legitimate abandoned projects. And, because the package keeps its original name and trusted history, unsuspecting users end up downloading malicious updates without suspecting any danger.
According to researchers, more than 20 AUR packages have already been compromised. Sonatype has shared the technical details of this ongoing software supply chain attack with Hackread.com.
Inside the Attack Chain
Sonatype engineer Eyad Hasan first flagged the issue, and subsequent investigation revealed that the threat actors don’t actually alter the original application source code. They rewrite the build instructions inside a configuration file called the PKGBUILD.
When a user installs or updates the software, a modified post-install script automatically runs the command npm install atomic-lockfile minimist chalk.
This forces the computer to get a malicious dependency called atomic-lockfile, the primary malware package used in this attack, from the public npm registry. Researchers noted that the hijacked package itself looks perfectly clean.
That’s why standard signature-based security tools fail to successfully flag the threat. Sonatype Research Labs is tracking this specific atomic-lockfile dependency under the reference Sonatype-2026-003775, giving the threat a high-severity CVSS score of 8.7.
Advanced Stealth Techniques
Sonatype researcher Adam Reynolds analysed the atomic-lockfile package and found a bundled native Linux binary executable. Triggered during a preinstall script phase inside the package.json file, this binary deploys a second-stage payload using a Linux kernel technology called eBPF.
Further probing revealed that the malware loads a specific code file named scales.bpf.c to gain rootkit-like powers. By messing with the system calls that list directory contents, it completely hides its files and processes from the user. It even tracks active systems to spot code debuggers and stop security tools from analysing it.
The payload then focuses on stealing credentials. It looks for GitHub keys, SSH data, HashiCorp Vault tokens, browser cookies, and saved data from a wide range of communication tools such as Slack, Discord, Microsoft Teams, and Telegram. The stolen data is then directly sent to the attacker using built-in web upload tools.
While these methods look a lot like an older campaign called IronWorm, Sonatype has not officially linked Atomic Arch to a specific hacker group yet. Experts warn that simply deleting the main package will not clean a computer if this deep system payload has already started running.
