Archive: https://archive.today/oCLIT
From the post:
>TL;DR
On June 11, 2026, Sonatype researchers uncovered Atomic Arch, a new campaign targeting orphaned packages in the Arch User Repository in which attackers take over legitimate, abandoned AUR projects and modify PKGBUILDS to install a malicious npm package during installation.
Analysis of atomic-lockfile, the malicious dependency, found a bundled Linux payload with functionality tied to credential harvesting, stealth, anti-debugging, and potential data exfiltration.
On June 12, 2026, a second wave emerged, using Bun-based installation paths in some affected packages rather than npm alone. Researchers have now identified multiple packages associated with the campaign, including atomic-lockfile, js-digest, and lockfile-js.
Preliminary analysis suggests the campaign may now affect approximately 1,500 packages across multiple waves of activity.
Archive: https://archive.today/oCLIT
From the post:
>>TL;DR
On June 11, 2026, Sonatype researchers uncovered Atomic Arch, a new campaign targeting orphaned packages in the Arch User Repository in which attackers take over legitimate, abandoned AUR projects and modify PKGBUILDS to install a malicious npm package during installation.
Analysis of atomic-lockfile, the malicious dependency, found a bundled Linux payload with functionality tied to credential harvesting, stealth, anti-debugging, and potential data exfiltration.
On June 12, 2026, a second wave emerged, using Bun-based installation paths in some affected packages rather than npm alone. Researchers have now identified multiple packages associated with the campaign, including atomic-lockfile, js-digest, and lockfile-js.
Preliminary analysis suggests the campaign may now affect approximately 1,500 packages across multiple waves of activity.
Login or register