AUR: 400+ packages' builds replaced — Rust stealer exfiltrates creds

Colleagues: 400+ AUR packages had builds replaced.
How it worked: attackers adopted abandoned packages, altered PKGBUILD/.install to pull atomic-lockfile or js-digest, which launched a malicious ELF.
Steals browser sessions, tokens (GitHub, npm, Vault, OpenAI), SSH keys, Docker/Podman; installs a systemd unit; if run as root, can deploy an eBPF rootkit.
Actions: check AUR packages installed/updated since 11 June; search for atomic-lockfile, js-digest and src/hooks/deps; rotate keys; inspect persistence (/etc/systemd, ~/.config/systemd, /var/lib, /sys/fs/bpf). If run as root — reinstall.
Why it matters: this erodes trust in a package's name and history.
Have you checked hosts and builds after 11 June?
#cybersecurity #supplychain #ArchLinux #AUR


Latest comments
No comments yet.