Security
AUR supply chain attack: 400+ packages injected with infostealer and eBPF rootkit
- Category: Security
- Status: confirmed
- Sources: Phoronix, ioctl.fail analysis, HN discussion
- Summary: A malicious maintainer identified as "arojas" adopted over 400 orphaned AUR packages on 2026-06-11 and modified their PKGBUILD files to add npm as a build dependency and execute a malicious npm install during package builds. The injected payload ("deps") operates as a credential stealer targeting browser secrets, Electron app credentials, Slack, Teams, Discord, GitHub tokens, npm credentials, Vault secrets, Docker and Podman configs, SSH keys, VPN configs, and shell histories. An optional eBPF-based rootkit component was also included for persistence and evasion. Arch Linux maintainers reset and deleted the malicious PKGBUILD content and banned the account on discovery. Official Arch Linux repository packages were unaffected; only AUR was compromised. Mitigation: audit installed AUR packages with
pacman -Qifor suspicious recent build dates, inspect PKGBUILD files for unexpected npm installs, and use tools such astraurto detect orphan takeovers. - Why it matters: The attack targeted developer credentials at build time, when package managers implicitly trust PKGBUILD scripts; the eBPF rootkit component makes post-compromise detection harder than conventional file-based malware.