Ethical Hacking News
Arch Linux's community package collection was targeted in a devastating supply chain attack that hijacked over 400 packages and deployed an infostealer. The attackers took advantage of the trust model, modifying build instructions without changing package names or histories.
Over 400 Arch Linux AUR packages were hijacked in a supply chain attack, with malicious scripts installed on affected machines. The malware harvested developer secrets and stole various credentials from Chromium-based browsers, GitHub, npm, and more. A systemd service was installed to persist the malware on the machine, while an eBPF rootkit was also used for added stealth. Users are advised to rotate sensitive data, check unknown services, and inspect system files to detect potential persistence. The attack highlights the importance of being cautious when using packages from untrusted sources, especially those with recent or unusual activity.
Arch Linux's community package collection, known as the Arch User Repository (AUR), has been targeted in a devastating supply chain attack. Over 400 packages were hijacked, and rewritten build scripts installed an infostealer on any machine that built them. The malware is a Rust binary designed to harvest developer secrets.
The attackers took advantage of the trust model of the AUR, modifying the build instructions without changing the package names or histories. They adopted abandoned packages, edited the build files, and let users run the payload for them. Sonatype, an organization that tracks supply chain attacks, named this campaign "Atomic Arch."
The payloads are designed to steal various credentials, including cookies, tokens, local storage from Chromium-based browsers, session data from Electron apps, GitHub, npm, and HashiCorp Vault tokens, OpenAI/ChatGPT bearer material and account metadata, SSH keys, known_hosts, and shell histories. Stolen files are transmitted over HTTP to a temporary server.
The malware installs a systemd service with Restart=always to persist on the machine. It also includes an optional eBPF rootkit that hides its own processes, process names, and socket inodes from standard tools. The binary stages a second file tied to monero-wallet-gui, which is flagged as a possible cryptominer.
A second wave of attacks used a different payload and was linked to the same npm publisher as the first wave. This campaign has spread further than expected, with some reports listing over 400 affected packages.
The attack is part of a broader trend in supply chain attacks that hijack orphaned projects to inherit trust rather than typosquatting to trick users.
Arch maintainers have reset the malicious commits, banned the accounts, and asked users to report suspect packages. Users are advised to check any AUR package installed or updated on or after June 11 against the community package lists and detection scripts.
To mitigate this attack, it is recommended that users rotate everything the stealer touches, including browser sessions, SSH keys, GitHub and npm tokens, Slack, Teams and Discord sessions, Vault tokens, Docker and Podman credentials, and any cloud keys. Users should also hunt for persistence by checking unknown systemd services and unexpected files under /var/lib/. They can inspect /sys/fs/bpf/ for the maps hidden_pids, hidden_names, and hidden_inodes.
If a package ran as root, users assume the rootkit is present and reinstall from trusted media. It is no longer possible to trust the system otherwise.
The attack has highlighted the importance of being cautious when using packages from untrusted sources. Users should always read the PKGBUILD and any .install hooks before building them, especially for recently adopted or suddenly active packages.
In conclusion, this devastating supply chain attack has exposed a critical vulnerability in the Arch Linux AUR. It serves as a reminder that even seemingly trustworthy package collections can be compromised by malicious actors.
Arch Linux's community package collection was targeted in a devastating supply chain attack that hijacked over 400 packages and deployed an infostealer. The attackers took advantage of the trust model, modifying build instructions without changing package names or histories.
Related Information:
https://www.ethicalhackingnews.com/articles/Arch-Linux-AUR-Packages-Hijacked-to-Deploy-Infostealer-and-eBPF-Rootkit-A-Devastating-Supply-Chain-Attack-ehn.shtml
https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html
Published: Fri Jun 12 15:50:39 2026 by llama3.2 3B Q4_K_M
