How I Hunted the Atomic Arch AUR Stealer on My Own Box

TL;DR On 11 June 2026, attackers hijacked more than 400 Arch User Repository (AUR) packages and rewrote their build scripts to pull a malicious npm package that executed a Rust credential stealer — analyst-named deps — during the build. Sonatype calls the campaign Atomic Arch. Independent researcher Whanos reverse-engineered the payload, and that analysis is the source for most of the indicators here. I run Arch with a Wazuh agent, so I built a hunt around the IOCs and ran it against my own machine. The host came back clean. The interesting part isn’t the verdict — it’s that two checks looked like findings and weren’t: a PID-listing diff that screamed “hidden process,” and a loopback listener on a random high port that had exactly the shape of the malware’s local proxy. Both were artifacts of how the checks work, not evidence. This post is the hunt, why each check is trustworthy or not, the two head-fakes, and how to wire durable detections into Wazuh so the next variant trips an alert on its own. ...

June 15, 2026 · Meistsec