Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers compromised over 400 packages in the Arch User Repository (AUR) and injected malicious code into their build scripts. The AUR is a community-maintained package collection for Arch Linux systems, separate from the official repository.

The injected malware is a Rust binary designed to steal credentials and developer secrets from infected systems. When executed with root privileges, the malware deploys an eBPF rootkit to hide its presence and maintain persistence on compromised machines.

eBPF (extended Berkeley Packet Filter) rootkits operate at the kernel level, making them difficult to detect through conventional security tools. This attack chain presents a dual threat. The infostealer phase harvests API keys, SSH credentials, authentication tokens, and other sensitive data from developer environments. The rootkit phase then conceals the malware's activity from system monitoring and security software.

The scale of this compromise is notable. Four hundred plus packages means thousands of developers building from AUR sources could have downloaded and executed the malicious code. Developers who routinely use `makepkg` or similar AUR build tools on systems where they hold root access faced direct infection risk.

AUR's decentralized model creates unique trust challenges. Unlike official package repositories, AUR packages are user-maintained with varying security standards. Attackers only needed to compromise individual package maintainer accounts to inject malware into build scripts, which execute during the package compilation process.

This incident reflects a broader supply chain attack pattern targeting developer toolchains. Compromised AUR packages reach developers early in their workflow, before code reaches production systems. Stolen credentials from developer machines grant attackers access to version control systems, cloud platforms, and internal infrastructure.

Organizations relying on Arch Linux systems for development should audit recent AUR package installations immediately. Developers should rotate credentials for any systems that built affected packages. Review git logs