惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
www.infosecurity-magazine.com
www.infosecurity-magazine.com
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threatpost
V
Visual Studio Blog
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - Franky
人人都是产品经理
人人都是产品经理
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Cloudflare Blog
N
News and Events Feed by Topic
L
Lohrmann on Cybersecurity
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
AWS News Blog
AWS News Blog
S
SegmentFault 最新的问题
T
Tailwind CSS Blog
Hugging Face - Blog
Hugging Face - Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Spread Privacy
Spread Privacy
J
Java Code Geeks
博客园 - 聂微东
T
Tor Project blog
宝玉的分享
宝玉的分享
博客园 - 叶小钗
Webroot Blog
Webroot Blog
博客园 - 【当耐特】
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
H
Heimdal Security Blog
Y
Y Combinator Blog
T
The Blog of Author Tim Ferriss
MongoDB | Blog
MongoDB | Blog
I
InfoQ
Security Latest
Security Latest
Martin Fowler
Martin Fowler
Hacker News: Ask HN
Hacker News: Ask HN
P
Privacy International News Feed
C
CERT Recently Published Vulnerability Notes
Latest news
Latest news
雷峰网
雷峰网
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cisco Blogs
H
Help Net Security
L
LINUX DO - 最新话题
L
LINUX DO - 热门话题

Truesec

Russian Intelligence Targets SOHO Routers - Truesec Cyber Warfare in the Iran War - Truesec Organized Cybercrime Merging with Other Crime - Truesec AI Used in Ransomware Attack The Fortibleed Campaign: Truesec's Experience Fortibleed: Truesec's Experience FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise - Truesec Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523) Typosquatting: When Your Domain Is Used Against You AI in Cybersecurity: Separating Operational Reality from Speculation Compromised @redhat-Cloud-Services Npm Packages Distribute Credential-Stealing Worm GitHub Hacks Highlights Need for Repository Security Installation of a Syslog Log Collector Critical Cisco Secure Workload Vulnerability Allows Unauthenticated Site Admin Access (CVE-2026-20223) Securing IT, OT, and IoT When the Digital Meets the Physical Russia Rolls Out Surveillance Through State-Backed “Super App” MAX Device Code Phishing via Fake File-Sharing Invitation Active Exploitation of PAN‑OS Authentication Portal RCE - Truesec Windows Client Security Baselines: When Assumptions Meet Incident Response Reality - Truesec Entra ID Password Protection: From “P@ssw0rd” to Protected GitHub Under Attack: How Small Exposures Snowball into Large‑Scale Compromises European Risks Linked to the U.S. – Iran Conflict Mythos: What It Actually Means and What It Does Not Russian Espionage Campaign Targets Home Routers How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409) Iranian APT Target US Critical Infrastructure Remote Access – Is VPN the Almighty Solution? Malicious Axios Packages Published to npm in New Supply Chain Compromise RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) No Further Increase in Iranian Cyber Operations Malicious PyPI Package – LiteLLM Supply Chain Compromise Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users Multiple Vulnerabilities, One Critical, in Ubiquiti UniFi Network Application
Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit - Truesec
Hjalmar Desmond · 2026-06-16 · via Truesec

A large-scale supply chain attack targeting the Arch User Repository (AUR) has resulted in the compromise of over 1,500 community-maintained packages[2]. Reportedly, attackers injected malicious build scripts to deploy a Rust-based infostealer and an optional eBPF rootkit on affected systems, primarily targeting developer environments and CI/CD infrastructure [1].

The attackers injected commands into build scripts that pulled malicious dependencies, including rogue npm packages such as atomic-lockfile and js-digest, which executed automatically during the package build process. This approach allowed attackers to distribute malware without modifying the software itself, instead abusing the trusted build pipeline [1].

The payload included[1]:
A Rust-based infostealer designed to collect sensitive data such as:

  • Browser cookies and session data
  • SSH keys and shell histories
  • API tokens (e.g., GitHub, npm, and cloud services)
  • Credentials from collaboration tools like Slack, Discord, and Teams
  • An eBPF rootkit that can load when executed with elevated privileges, enabling stealth by hiding processes and artifacts at the kernel level

The AUR is Arch Linux’s community package collection, and it is separate from the official Arch repositories, which were not affected.

Affected Products

Arch Linux AUR
A list of affected packages at the time of writing can be found here[2]:
https://md.archlinux.org/s/SxbqukK6IA

The list of affected packages is extensive and evolving. Customers should treat any AUR package installed or updated since June 11, 2026 as potentially compromised.
Exploitation

The campaign began on or around June 11, 2026, and actively compromised hundreds of AUR packages, later expanding to over 1,500 affected packages.
Recommended Actions

  • Review all AUR packages installed or updated since June 11, 2026, and compare them against known affected package lists found here: https://md.archlinux.org/s/SxbqukK6IA
  • Immediately rotate all credentials (SSH keys, API tokens, passwords) on systems that may have installed affected packages
  • Treat systems where malicious packages were executed with elevated privileges as potentially fully compromised and consider reinstallation from trusted media
  • Monitor for suspicious activity, including:
    • Unusual outbound connections (e.g., HTTP exfiltration or Tor usage)
    • Unexpected systemd services or persistence mechanisms

Limit reliance on unvetted third-party repositories and implement stricter validation of build scripts before execution.

References

[1] https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html
[2] https://md.archlinux.org/s/SxbqukK6IA
[3] https://archlinux.org/news/active-aur-malicious-packages-incident/

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.

Latest Insights