400+ Arch Linux AUR Packages Hijacked: eBPF Rootkit and Infostealer

Analysis of the Arch Linux AUR Package Hijacking

A massive Supply Chain Attack has targeted the Arch User Repository (AUR), resulting in the compromise of over 400 packages. According to The Hacker News, threat actors successfully hijacked maintainer accounts or took over orphaned packages to rewrite their build scripts. This campaign specifically targets developers and power users who rely on the AUR for community-maintained software packages, turning the build process into a vector for malware delivery.

Unlike traditional vulnerabilities associated with a specific CVE, this incident represents a failure in repository trust and maintainer security. The attackers modified the PKGBUILD scripts—text files used by Arch Linux’s makepkg utility to compile and install software—to execute malicious commands during the build phase. This allows the malware to gain the same permissions as the user building the package, which is frequently a user with sudo privileges.

Rust Infostealer Malware Analysis and TTPs

The primary payload delivered in this campaign is a binary written in the Rust programming language. This choice of language provides the attacker with cross-architecture compatibility and a degree of obfuscation against signature-based detection. The TTP observed involves the binary scanning the filesystem for sensitive developer assets. Targeted files include SSH private keys, AWS credentials, Docker configuration files, and environment variables containing API keys.

Once the infostealer identifies these assets, it exfiltrates them to an attacker-controlled C2 server. Because developers often possess high-level access to production environments and source code repositories, the theft of these credentials could lead to subsequent Lateral Movement across corporate networks. The compromise of a single developer machine via this AUR hijacking could facilitate much larger breaches within a software development organization.

eBPF Rootkit Detection and Removal Strategies

The most technically sophisticated component of this attack is the deployment of an eBPF-based rootkit. If the malicious build script achieves Privilege Escalation or is run with root permissions, it loads a custom eBPF (Extended Berkeley Packet Filter) program into the Linux kernel. This rootkit is designed to hide the presence of the infostealer process and its network connections, making traditional monitoring tools like top or netstat unreliable.

For security professionals, eBPF rootkit detection and removal strategies must focus on kernel-level visibility. Standard EDR solutions that only monitor user-space activity may fail to identify the hook. Defenders should use specialized tools such as bpftool to list all loaded eBPF programs and look for suspicious attachments to syscalls or network hooks. Because the malware resides in the kernel, simple file deletion is insufficient; the eBPF program must be detached and the system should be audited for persistent IoC markers in systemd services or shell profiles.

Mitigation and Recommendations

Organizations and individual developers using Arch Linux must take immediate action to secure their environments. The SOC should prioritize the review of any outbound traffic to unknown IP addresses originating from development workstations. Implementing a SIEM rule to alert on unusual eBPF program loads is also recommended.

• Verify PKGBUILD Integrity: Before building any package from the AUR, manually inspect the PKGBUILD and any associated .install scripts for obfuscated commands or unauthorized curl/wget calls.
• Audit Installed Packages: Use pacman -Qm to list all community packages and cross-reference them with the list of hijacked packages if available.
• Secrets Rotation: If a system is suspected of compromise, rotate all SSH keys, cloud provider tokens, and GitHub personal access tokens immediately.
• Use Sandbox Builds: Build AUR packages in a clean, non-privileged container or a virtual machine to prevent the build process from accessing host-level secrets or the kernel.