VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

AUR: 400+ packages' builds hijacked — stealer and eBPF rootkit

AUR: preko 400 paketa kompromitovano — stealer i eBPF‑rootkit

Colleagues, a security alert: over 400 AUR packages were hijacked during build — a stealer executed, and, with root, an optional eBPF rootkit.

Briefly:
- PKGBUILD/.install were modified; build pulled npm (atomic-lockfile) or bun (js-digest), ran deps binary — a Rust stealer exfiltrating browser tokens, SSH keys, container and cloud credentials.
- The rootkit hides processes and sockets; removing the package may not remove the compromise.
- Check builds since 11 June: look for atomic-lockfile, js-digest, src/hooks/deps; unknown systemd units, files in /var/lib/, maps in /sys/fs/bpf.

Why it matters: compromised builds undermine trust and endanger credentials and CI.

What will you do?

#cybersecurity #supplychain #ArchLinux #AUR

Latest comments

No comments yet.