Attackers compromised over 400 packages in the Arch User Repository (AUR) by rewriting build scripts to install a Rust-based credential stealer on any machine that compiled the affected packages. When executed with root privileges, the malware can also deploy an eBPF rootkit to conceal its presence. This is a significant supply chain attack targeting developers, particularly those building software in Linux-based CI/CD environments.

Security Architect’s Take: Audit any CI/CD pipelines or developer workstations using Arch Linux and AUR packages immediately — treat all AUR-sourced builds from this week as potentially compromised. Enforce a policy of never running AUR builds with root privileges, and consider migrating pipeline build environments to distributions with curated, signed package repositories.

Original advisory: Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit