Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them.

The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux’s community package collection, and it is separate

  • Sammirr@aussie.zone
    link
    fedilink
    English
    arrow-up
    9
    ·
    22 days ago

    It means that if you’ve installed (built) anything from the AUR in the last ~48 hours, and you were unlucky enough to choose an impacted package, then consider you machine compromised. The article does a better job of explaining.