






















A large-scale supply chain attack targeting the Arch User Repository (AUR) has resulted in the compromise of over 1,500 community-maintained packages[2]. Reportedly, attackers injected malicious build scripts to deploy a Rust-based infostealer and an optional eBPF rootkit on affected systems, primarily targeting developer environments and CI/CD infrastructure [1].
The attackers injected commands into build scripts that pulled malicious dependencies, including rogue npm packages such as atomic-lockfile and js-digest, which executed automatically during the package build process. This approach allowed attackers to distribute malware without modifying the software itself, instead abusing the trusted build pipeline [1].
The payload included[1]:
A Rust-based infostealer designed to collect sensitive data such as:
The AUR is Arch Linux’s community package collection, and it is separate from the official Arch repositories, which were not affected.
Arch Linux AUR
A list of affected packages at the time of writing can be found here[2]:
https://md.archlinux.org/s/SxbqukK6IA
The list of affected packages is extensive and evolving. Customers should treat any AUR package installed or updated since June 11, 2026 as potentially compromised.
Exploitation
The campaign began on or around June 11, 2026, and actively compromised hundreds of AUR packages, later expanding to over 1,500 affected packages.
Recommended Actions
Limit reliance on unvetted third-party repositories and implement stricter validation of build scripts before execution.
[1] https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html
[2] https://md.archlinux.org/s/SxbqukK6IA
[3] https://archlinux.org/news/active-aur-malicious-packages-incident/
Stay ahead with cyber insights
Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。