Major Supply Chain Attack Hits the Arch Linux Community

More than 400 packages in the Arch User Repository (AUR) have been compromised in a software supply chain attack, with attackers modifying installation scripts to deploy data-stealing malware on users’ systems. The incident did not affect the official Arch Linux repositories but was limited to AUR, the community-maintained package distribution platform.

According to research by Sonatype, the attackers adopted abandoned projects with no active maintainers and inserted malicious code into their PKGBUILD files, causing the installation of malicious npm packages during the build process. The Rust-based malware was designed to collect sensitive information, including GitHub, npm, and HashiCorp Vault access tokens, SSH keys, browser data, and information from applications such as Slack, Discord, and Microsoft Teams. Security researchers reported that the malware was also capable of deploying an eBPF rootkit to conceal its activities on compromised systems, although only when it obtained administrative privileges.

Additional concern stems from the fact that the attackers preserved the original package names and histories, exploiting user trust without relying on software vulnerabilities or zero-day exploits.

The number of compromised packages continues to grow, and security experts are urging users who installed or updated AUR packages after June 11 to review their systems and verify whether any affected packages were used. According to current findings, the incident represents one of the largest attacks against the AUR ecosystem to date and highlights the serious risks posed by compromised components within the software supply chain.