Over 400 Arch Linux packages compromised to push rootkit, infostealer

A threat actor compromised over 400 packages in the Arch User Repository by injecting a Linux rootkit and infostealer into build scripts. The malware uses eBPF to achieve kernel-level persistence, hide processes, and exfiltrate credentials and access tokens. Any Arch Linux user who installed affected AUR packages is potentially compromised with persistent root-level access.

CRITICALAdvisoryJun 14, 2026

Action required

Identify and isolate any systems running Arch Linux with recent AUR package installations. Scan for eBPF-based rootkit indicators and check for unauthorized kernel modules. If compromise is confirmed, assume credential breach and force password resets for affected users.

Affected products

Arch User RepositorynpmArch LinuxMicrosoft TeamsSlack

Linked articles

Over 400 Arch Linux packages compromised to push rootkit, infostealer

Source links

https://www.bleepingcomputer.com/news/security/over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer/