Back to Intelligence

Arch Linux AUR Compromise: Supply Chain Attack Distributing Rootkits and Infostealers

SA
Security Arsenal Team
June 12, 2026
5 min read

The Arch User Repository (AUR), a cornerstone of the Arch Linux ecosystem, has been weaponized in a massive supply-chain attack. Over 400 packages have been confirmed compromised, actively distributing a Linux rootkit coupled with infostealer capabilities. For defenders, this represents a critical failure of the trust model in community repositories. Unlike standard CVE exploitation, this attack bypasses perimeter defenses by injecting malicious code directly into the build or installation scripts of trusted software. Immediate action is required to identify affected endpoints, eradicate the persistent rootkit, and rotate exposed credentials.

Technical Analysis

Affected Platform: Arch Linux and derivatives utilizing the Arch User Repository (AUR).

Threat Vector: Supply Chain Compromise. Malicious actors injected code into PKGBUILD scripts or uploaded compromised packages to the AUR. When users compile or install these packages using helpers like yay, paru, or manual makepkg execution, the payload is deployed.

Malware Capabilities:

  • Rootkit: Provides kernel-mode or user-mode hiding capabilities, concealing processes, files, and network connections to evade detection.
  • Infostealer: Targets credentials, SSH keys, and cloud access tokens (e.g., AWS, GitHub) stored in user directories.

Exploitation Status: Confirmed Active. The attack is currently "in-the-wild" with hundreds of packages serving as delivery mechanisms. The scale suggests automated mass-compromise of maintainer accounts or package submission processes.

Detection & Response

SIGMA Rules

YAML
---
title: Potential AUR Supply Chain Compromise - Suspicious Makepkg Network Activity
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects makepkg or AUR helper processes establishing network connections, typical of malicious build scripts fetching payloads.
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
  - attack.initial_access
  - attack.t1195.002
logsource:
  product: linux
  category: network_connection
detection:
  selection:
    ParentImage|endswith:
      - '/makepkg'
      - '/yay'
      - '/paru'
    Initiated: true
  condition: selection
falsepositives:
  - Legitimate package sources downloading dependencies (rare for AUR)
level: high
---
title: Linux Rootkit Infostealer - Suspicious SSH/Config Access
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects processes reading sensitive .ssh or config files immediately following package installation activity.
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1059.001
logsource:
  product: linux
  category: process_creation
detection:
  selector_parent:
    ParentImage|endswith:
      - '/pacman'
      - '/makepkg'
      - '/yay'
      - '/paru'
  selector_access:
    CommandLine|contains:
      - '/.ssh/'
      - '.aws/credentials'
      - '.config/gcloud'
  condition: selector_parent and selector_access
falsepositives:
  - Post-install scripts legitimately setting up keys (low volume)
level: critical

KQL (Microsoft Sentinel)

This query assumes Linux Syslog or CEF data is ingested. It looks for the execution of AUR helpers followed by suspicious file access or network activity.

KQL — Microsoft Sentinel / Defender
let AURHelpers = dynamic(["yay", "paru", "makepkg", "pacman"]);
Syslog
| where ProcessName in (AURHelpers) or SyslogMessage has_any (AURHelpers)
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(1d) 
    | where ProcessCommandLine has_any ("/root/", ".ssh/", ".aws/", "id_rsa") 
    | where InitiatingProcessFileName in (AURHelpers)
) on Computer
| project TimeGenerated, Computer, InitiatingProcessFileName, ProcessCommandLine, FileName

Velociraptor VQL

Hunt for discrepancies between pslist and process enumeration that rootkits might hide, and scan for recently modified binaries in AUR directories.

VQL — Velociraptor
-- Hunt for processes with suspicious binary paths hidden from standard listings
SELECT Pid, Name, Exe, Username, CommandLine
FROM pslist()
WHERE Exe NOT IN ("/usr/bin", "/bin", "/sbin", "/usr/sbin")
  AND Exe =~ "/tmp/" OR Exe =~ "/var/tmp/" 
  AND Name NOT IN ("systemd", "bash", "sh", "zsh")

-- Hunt for recently modified AUR package directories (indicators of compromise)
SELECT FullPath, Mode, Size, Mtime, Atime
FROM glob(globs="/var/cache/pacman/pkg/*")
WHERE Mtime > now() - 24h
  AND Mode =~ "rwxrwxrwx" -- Suspicious permissions on cached packages

Remediation Script (Bash)

Use this script to audit for common rootkit persistence and flag AUR packages installed from the compromised timeframe. Note: A full re-image is recommended if a rootkit is confirmed.

Bash / Shell
#!/bin/bash

# Audit AUR packages for recent changes
echo "[+] Auditing recently installed AUR packages (foreign packages)..."
pacman -Qm --date | head -n 50

# Check for hidden modules or suspicious kernel objects
echo "[+] Checking for loaded kernel modules (rootkit check)..."
lsmod | grep -v "^Module" | while read module rest; do
  modinfo "$module" 2>/dev/null | grep -q "description:" || echo "Suspicious module: $module (no description)"
done

# Scan for common infostealer persistence locations
echo "[+] Scanning for suspicious cron jobs..."
crontab -l 2>/dev/null | grep -v "^#" | grep -v "^$"

# Check for rogue systemd units
if [ -d /etc/systemd/system ]; then
  echo "[+] Checking for recently created systemd units..."
  find /etc/systemd/system -name "*.service" -mtime -2 -exec ls -la {} \;
fi

echo "[+] Checking for unauthorized SSH keys in root..."
if [ -f /root/.ssh/authorized_keys ]; then
  cat /root/.ssh/authorized_keys
fi

echo "[+] ACTION REQUIRED: Review the list of 'pacman -Qm' packages against the official Arch Linux security advisory."

Remediation

  1. Identify Compromised Packages: Cross-reference the output of pacman -Qm (list foreign packages) against the official Arch Linux security advisory listing the 400+ compromised packages.
  2. Containment: Immediately isolate affected Arch Linux hosts from the network to prevent credential exfiltration or lateral movement.
  3. Eradication:
    • For Infostealers Only: If infostealer activity is confirmed but no rootkit persistence is found, uninstall the compromised packages using pacman -R <package_name>.
    • For Rootkits: If a rootkit is suspected or confirmed, do not attempt removal. The integrity of the OS is broken. Wipe the drive and reinstall the operating system from trusted media.
  4. Credential Reset: Assume all credentials, SSH keys, API tokens, and cloud secrets stored on the compromised host are exfiltrated. Rotate them immediately from a clean, trusted workstation.
  5. Update Systems: After reinstallation or cleanup, update the system to ensure the latest pacman and archlinux-keyring are installed: pacman -Syu.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirarch-linuxsupply-chainaur

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action