Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

pulse_of_truth·Pulse of TruthbyResident Pulser

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.

The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.htmlOpen link View original on infosec.pub

Comments3

IAmYouButYouDontKnowYet

reddthat.com

What does this mean for the average dumbass like me?

droppedtacos reply

lemmy.world

Also, if you're running an arch based system and you're worried, in the terminal you can run:

pacman -Qm

to display what're considered foreign packages that your system has installed and cross reference them, if any, with the list found here:

aur_check

Sammirr reply

aussie.zone

It means that if you've installed (built) anything from the AUR in the last ~48 hours, and you were unlucky enough to choose an impacted package, then consider you machine compromised. The article does a better job of explaining.