Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate

The report describes a large-scale software supply chain compromise where attackers hijacked over 400 Arch Linux AUR packages and modified their build scripts to deploy a Rust-based credential stealer, with optional eBPF rootkit functionality when run as root.[1] Stolen data reportedly includes developer secrets such as SSH keys, GitHub and npm tokens, Vault tokens, browser cookies, and API tokens for services including OpenAI/ChatGPT, and the rootkit uses eBPF to hide processes and files from the system.[1][3] From a CyberSE.AI perspective, any AI development or deployment environment that uses AUR packages could have its credentials, API keys, and model-access tokens silently exfiltrated, enabling downstream compromise of AI code repositories, model registries, CI/CD pipelines, and production agents. Organizations should treat affected hosts as fully compromised, rotate all AI-related secrets, and implement stronger AI supply chain controls (package provenance checks, SBOM-based dependency inventory, and continuous red teaming of build and deploy chains) to prevent similar compromises from propagating into AI systems.