Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages

Arch Linux on Monday announced that it has suspended new account registrations on the Arch User Repository (AUR) in response to a wave of malicious packages being published as part of an ongoing supply chain attack.

A community-driven repository, AUR enables Arch Linux users to share build scripts (PKGBUILDs) for software not in the official repositories, which can be cloned to build native packages locally.

The supply chain campaign, tracked by the cybersecurity community as Atomic Arch, started last week, with more than 1,500 malicious packages published by June 11.

“We are actively working to track down existing malicious commits and attempting to prevent additional malicious commits from being pushed,” Arch Linux said on Friday. On Monday, Arch Linux suspended AUR signups for cleanup purposes.

According to Sonatype, the campaign started with abandoned packages in AUR, which were modified to execute a malicious NPM package during installation. By June 12, the attackers switched to Bun-based installation paths and also started pushing new malicious packages.