TL;DR

• Sonatype researchers uncovered Atomic Arch, a new campaign targeting orphaned packages in the Arch User Repository in which attackers take over legitimate, abandoned AUR projects and modify PKGBUILDS to install a malicious npm package during installation.

• This is especially concerning because the trusted package itself may not look obviously malicious. The attack hides behind build instructions, downstream dependencies, and existing developer trust.

• Analysis of atomic-lockfile, the malicious dependency, found a bundled Linux payload with functionality tied to credential harvesting, stealth, anti-debugging, and potential data exfiltration.

• The bigger lesson: attackers no longer need to create trust from scratch. Sometimes they can inherit it.

Sonatype researchers have identified a malicious package campaign, dubbed Atomic Arch, that targets orphaned packages in the Arch User Repository (AUR).

The post Atomic Arch npm Campaign Adds Malicious Dependency appeared first on 2024 Sonatype Blog.

*** This is a Security Bloggers Network syndicated blog from 2024 Sonatype Blog authored by Sonatype Security Research Team. Read the original post at: https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency