AUR: 400+ packages' builds hijacked — stealer and eBPF rootkit

Colleagues, a security alert: over 400 AUR packages were hijacked during build — a stealer executed, and, with root, an optional eBPF rootkit.
Briefly:
- PKGBUILD/.install were modified; build pulled npm (atomic-lockfile) or bun (js-digest), ran deps binary — a Rust stealer exfiltrating browser tokens, SSH keys, container and cloud credentials.
- The rootkit hides processes and sockets; removing the package may not remove the compromise.
- Check builds since 11 June: look for atomic-lockfile, js-digest, src/hooks/deps; unknown systemd units, files in /var/lib/, maps in /sys/fs/bpf.
Why it matters: compromised builds undermine trust and endanger credentials and CI.
What will you do?
#cybersecurity #supplychain #ArchLinux #AUR


Latest comments
No comments yet.