Skip to content
πŸ’» AppSec

Over 400 Arch Linux AUR Packages Poisoned with eBPF Rootkit in Coordinated Maintainer Compromise

More than 400 packages in the Arch Linux User Repository were compromised by an attacker who spoofed trusted maintainer identities to push malicious preinstall scripts. The scripts deploy an ELF infostealer harvesting developer credentials and an optional eBPF rootkit that persists across package removal attempts.

4 min read
#supply-chain#arch-linux#rootkit#ebpf#linux#developer-credentials
Article software-development-security

A coordinated supply chain attack against the Arch Linux User Repository (AUR) has compromised more than 400 packages, poisoning them with preinstall scripts that deliver a credential-stealing infostealer and β€” in a significant escalation β€” an eBPF kernel rootkit capable of surviving package removal. The attack exploited AUR’s community-maintained model, with the threat actor spoofing the identities of established maintainers to push malicious package versions.

What Happened

AUR packages depend on community contributors to maintain and update PKGBUILD files β€” shell scripts that define how packages are downloaded, built, and installed. The attacker targeted this trust model, registering accounts that impersonated longstanding trusted maintainers and submitting updated PKGBUILD files that added malicious preinstall() hooks to legitimate packages.

Those hooks pull a secondary stage from a public npm package (atomic-lockfile), which decodes to an ELF Linux binary. Depending on whether the target system meets attacker-defined criteria β€” kernel version, presence of development tooling, privilege level β€” the binary deploys either the infostealer alone or both the infostealer and the eBPF rootkit component.

The eBPF rootkit hooks kernel functions to hide network connections and processes, and can survive pacman -R removal attempts because it persists in kernel space rather than on the filesystem as a conventional binary.

What Gets Stolen

The infostealer component is designed specifically for developer environments:

  • GitHub personal access tokens and SSH private keys
  • Cloud provider credentials β€” AWS ~/.aws/credentials, GCP service account JSON files, Azure CLI tokens
  • HashiCorp Vault tokens stored in the default paths
  • Slack, Discord, Teams, and Telegram session cookies and local databases
  • Browser credential stores (Chrome, Firefox, Brave profile directories)
  • npm authentication tokens (~/.npmrc) and PyPI credentials

The credential profile corresponds to the access level needed to inject further malicious packages, pivot into CI/CD pipelines, or exfiltrate proprietary source code. The attack is architecturally similar to TeamPCP’s supply chain campaign earlier this year, which similarly targeted developer tool distribution channels.

Why AUR Is Particularly Exposed

Unlike the official Arch Linux repositories, AUR packages are not reviewed or signed by the Arch Linux distribution team. The AUR model places full trust on the registered maintainer of each package. Maintainer identity is verified only at account registration, not at each package update β€” meaning a compromised or spoofed maintainer account can push malicious builds indefinitely until discovered.

The Arch Linux project has historically acknowledged this limitation and strongly advises users to inspect PKGBUILD files before building. In practice, most developers use AUR helpers (yay, paru) that automate package installation without prompting for manual review.

The volume of this attack β€” 400+ packages β€” suggests either automated PKGBUILD manipulation or a long-running, low-volume poisoning campaign. Arch Linux security maintainers were notified on 12 June; affected package versions are being removed and maintainer accounts suspended.

  • Audit recently installed AUR packages β€” run pacman -Q and cross-reference against the disclosed list of compromised packages (being published by the Arch Linux security team). Pay particular attention to packages installed or updated between 1 June and 16 June.
  • Rotate all developer credentials immediately on any Arch Linux system that installed AUR packages during the affected window β€” GitHub tokens, SSH keys, cloud IAM credentials, npm tokens, and vault secrets.
  • Check for eBPF persistence β€” the rootkit hides processes and network connections. Run bpftool prog list to enumerate loaded eBPF programmes and look for anomalous entries. On compromised systems, assume that rebooting into a clean kernel and reinstalling from official repos is required.
  • Review CI/CD pipeline credentials β€” if the compromised system had access to CI/CD secrets or deployment credentials, treat those as exposed and rotate them regardless of whether evidence of exfiltration exists.
  • Consider limiting AUR usage in production or developer environments to a curated allowlist, and deploy AUR helper configurations that require explicit PKGBUILD review before building.
  • Monitor npm for the atomic-lockfile package β€” it has been reported to the npm security team; track whether it reappears under alternative names.

Share this article

Related Intelligence

πŸ’» AppSec

QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI

Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials β€” npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens β€” from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.

#supply-chain +8
πŸ’» AppSec

Vercel Confirms Breach via Compromised AI Tool β€” Developer Environment Variables and Credentials Exposed

Cloud deployment platform Vercel has confirmed a breach traced to a Lumma infostealer infection at Context.ai, a third-party AI tool used by a Vercel employee. Attackers used the stolen Google Workspace OAuth access to reach Vercel's internal environments, exposing environment variables and a limited set of customer credentials. ShinyHunters is claiming responsibility and demanding $2 million for the stolen data.

#vercel +9
πŸ’» AppSec

Miasma / Shai Hulud Supply Chain Campaign: 100+ npm and PyPI Packages Compromised Including Red Hat Namespace

Security researchers have attributed a coordinated software supply chain attack to a threat cluster tracked as Miasma (also Shai Hulud), which compromised over 100 packages across npm and PyPI by stealing publisher credentials and injecting malicious code. The campaign reached the official Red Hat npm namespace, exposing organisations that rely on internal package mirror strategies as a security control.

#supply-chain +8