[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer-mqe1c7rp":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":18,"article_ids":19,"ioc_summary":21,"source_urls":22,"status":24,"expires_at":25,"created_at":26,"updated_at":27,"articles":28},"ac987fdc-3e4a-4f7a-864c-468e0460af18","Over 400 Arch Linux packages compromised to push rootkit, infostealer","over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer-mqe1c7rp","A threat actor compromised over 400 packages in the Arch User Repository by injecting a Linux rootkit and infostealer into build scripts. The malware uses eBPF to achieve kernel-level persistence, hide processes, and exfiltrate credentials and access tokens. Any Arch Linux user who installed affected AUR packages is potentially compromised with persistent root-level access.","critical","advisory",[],[13,14,15,16,17],"Arch User Repository","npm","Arch Linux","Microsoft Teams","Slack","Identify and isolate any systems running Arch Linux with recent AUR package installations. Scan for eBPF-based rootkit indicators and check for unauthorized kernel modules. If compromise is confirmed, assume credential breach and force password resets for affected users.",[20],"85595e49-c204-4e58-b35d-3a8a6e0b61c1",null,[23],"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-400-arch-linux-packages-compromised-to-push-rootkit-infostealer\u002F","archived","2026-06-16T17:05:22.17+00:00","2026-06-14T17:05:26.963576+00:00","2026-06-16T18:06:02.851438+00:00",[29],{"id":20,"title":6,"url":23}]