Decided to create a thread for tracking and sharing the news and opinions on the new Malicious Atomic Arch NPM Campaign in which more than 1600 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit.

Find the infected packages: https://md.archlinux.org/s/SxbqukK6IA

Most popular packages on the affected list

Package        Popularity                Affected                 Reverted
libgdata           16.98% (2026-06-11 14:59+00:00) (2026-06-11 17:30+00:00)
python-future       5.38% (2026-06-11 15:58+00:00) (2026-06-11 16:54+00:00)
gdl                 3.36% (2026-06-11 13:35+00:00) (2026-06-11 17:32+00:00)
libquvi-scripts     2.31% (2026-06-11 15:05+00:00) (2026-06-11 17:33+00:00)
libquvi             2.22% (2026-06-11 15:04+00:00) (2026-06-11 17:33+00:00)
gtkimageview        2.19% (2026-06-11 13:44+00:00) (2026-06-11 17:33+00:00)
python2-pyparsing   2.02% (2026-06-11 14:23+00:00) (2026-06-11 17:40+00:00)
python2-appdirs     1.96% (2026-06-11 14:22+00:00) (2026-06-11 17:26+00:00)
compiler-rt19       1.95% (2026-06-11 14:23+00:00) (2026-06-11 17:30+00:00)
python2-packaging   1.90% (2026-06-11 14:21+00:00) (2026-06-11 17:38+00:00)
wine-nine           1.86% (2026-06-11 15:48+00:00) (2026-06-11 21:36+00:00)
clang19             1.86% (2026-06-11 15:36+00:00) (2026-06-11 21:24+00:00)
clang15             1.76% (2026-06-12 12:34+00:00) (2026-06-12 12:54+00:00)
mono-addins         1.69% (2026-06-11 15:33+00:00) (2026-06-11 21:34+00:00)
python2-chardet     1.68% (2026-06-12 12:42+00:00) (2026-06-12 14:48+00:00)
python-monotonic    1.55% (2026-06-11 15:43+00:00) (2026-06-11 21:37+00:00)
python2-cffi        1.47% (2026-06-12 12:44+00:00) (2026-06-12 15:10+00:00)
alvr                1.26% (2026-06-11 13:54+00:00) (2026-06-11 16:50+00:00)
python2-gobject     1.23% (2026-06-12 12:44+00:00) (2026-06-12 14:47+00:00)
vidcutter           1.03% (2026-06-11 13:24+00:00) (2026-06-11 17:43+00:00)

Learn more about the attack: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency.

  • Tetsuo@jlai.lu
    1·
    5 hours ago

    They could also put a checking tool into CachyOS Hello, which is shipped and pops up by default.

    What would this “checking tool” look like? What would it check?

    I personally have deactivated the opening cachyos Hello a long time ago. Why would I need that popup once I setup everything?

    And I’ve definitely gotten “urgent” text notifications that all-but-required manual action through pacman.

    Pacman has no idea if it is installing something malicious. It notifies you only on functional actions that are required.

    Basically, none of the suggestions you make would have avoided the AUR attack to work. Nor a future one?

    The only thing I would maybe agree is for some notification system that let’s the cachyos maintainers send an urgent message but that would mean they would have to sign that message in some way. If that signature verification ever fails someone could send malicious notifications to all cachyos users and that would create another threat.

    And even then if the malicious package is noticed after a few days, if you already installed/updated it, it’s too late. You could receive a notification giving guidelines to cleanup but that’s too late. The infection could disable these notifications or worse.

    And if you have an emergency notifications systems, is it a “pull” or “push” notification? Is it your computer that checks if there is a notification? How long between pulls? If that’s a push then the notification servers basically has a full list of cachyos IPs which would suck too.

    Sorry if I look nitpicky but I just want to illustrate that this is a very very complex problem to solve while respecting user privacy and “sovereignty” over their system. Supply chain attacks are extremely difficult to defend against and open source projects have increasingly numerous dependencies…