Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedhigh

400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security

On June 11, 2026, attackers hijacked over 400 packages in the Arch User Repository (AUR), converting them into a malware delivery network. The "Atomic Arch" campaign represents a large-scale compromise of developer accounts or package maintainers within the Arch Linux ecosystem.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
400+ AUR packages; limited to Arch Linux systems
Ecosystems
Other
Attack vectors
Account takeoverMalicious maintainer
Threat actor
Atomic Arch
Affected entities
  • Arch User Repository (AUR)400+ community packages hijacked

On June 11, 2026, security researchers and the Arch Linux community disclosed a large-scale supply-chain attack targeting the Arch User Repository (AUR). Attackers successfully hijacked more than 400 community-maintained packages and repurposed them as a malware distribution channel.

The campaign, referred to as "Atomic Arch," demonstrates how modern attackers exploit trust relationships within open-source ecosystems. The attack likely involved compromise of developer accounts or package maintainers, allowing unauthorized modification and distribution of malicious code through legitimate package channels.

While the immediate impact is confined to Arch Linux systems, the incident underscores systemic vulnerabilities in community-driven package repositories where maintainer account security and package integrity verification may be insufficient to prevent large-scale takeovers.

Remediation

  • Audit AUR account credentials and enable multi-factor authentication for all package maintainers
  • Review and revoke compromised package versions; restore from known-good sources
  • Implement mandatory code review and signing requirements for package updates
  • Monitor Arch Linux systems for indicators of compromise from malicious package installations
  • Conduct forensic analysis to determine attack vector and scope of account compromise

Sources

  1. 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security · StepSecurity

Cite this entry

"400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 11, 2026; last updated June 13, 2026. https://supplychainattack.org/incident/400-aur-packages-hijacked-what-the-atomic-arch-campaign-means-for-supply-chain-s-ar2fhv

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

    TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.

    TeamPCPnpmOtherAccount takeoverCompromised packageMalicious maintainer
  2. containedcritical

    Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

    On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.

    OtherAccount takeoverMalicious commit
  3. activecritical

    Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem

    A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.

    Mini Shai HuludnpmOtherCompromised packageAccount takeover
  4. activecritical

    Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope

    The Shai-Hulud worm has hijacked intercom-client@7.0.4 (361,510 weekly downloads) via a compromised GitHub Actions OIDC publishing pipeline, 29 hours after compromising mbt@1.2.48 and @cap-js/sqlite@2.2.2. The worm is actively propagating through CI/CD infrastructure stolen from earlier victims, targeting multi-cloud credentials (AWS, GCP, Azure).

    Shai-HuludnpmOtherCompromised packageBuild-system compromiseAccount takeover