AUR Supply Chain Attack Delivers eBPF Rootkit and Infostealer

Supply chain attacks targeting developer environments are rarely subtle, but they are increasingly sophisticated. A recent campaign targeting the Arch Linux User Repository (AUR) has highlighted this trend, compromising more than 400 packages. What makes this incident notable is not just the scale of the compromise, but the payload: a combination of credential-stealing malware and an eBPF-based rootkit.

For developers who use Arch, the incident is a stark reminder of the trust placed in community-maintained repositories.

The Spoofing Vector

The compromise began when an attacker registered a new AUR maintainer account designed to impersonate a trusted, established member of the community. Using this spoofed identity, the actor adopted 408 orphaned or under-maintained packages.

Once in control of the repositories, the attacker modified the package build configurations to inject malicious preinstall scripts. These scripts were designed to execute during the package installation phase, leveraging package managers to pull down external payloads.

The attack featured at least two distinct execution paths:

• The NPM Variant: The preinstall script used npm to install a malicious package called atomic-lockfile.
• The Bun Variant: A separate variant of the modified packages utilized the Bun runtime to fetch and install a malicious package named js-digest.

According to security analysis from Socket, the js-digest package has since been removed from the NPM registry. The atomic-lockfile package, maintained by an NPM user operating under the handle herbsobering, had accumulated 134 downloads prior to discovery. A search for the same username on GitHub revealed a single container image (nodejs-argo/pkgs/container/herbsobering430) configured as a reverse shell or proxy tool.

From Infostealer to Kernel-Level Rootkit

Most package-manager malware campaigns limit their scope to user-space activities—typically harvesting environment variables, SSH keys, and local credentials. This campaign, however, went significantly further.

Alongside standard infostealer capabilities, the payload deployed an eBPF (Extended Berkeley Packet Filter) rootkit. In the Linux security model, eBPF allows programs to run sandboxed inside the kernel space without modifying kernel source code or loading traditional kernel modules. While highly useful for observability and networking, eBPF is increasingly abused by malware authors to intercept system calls, manipulate network traffic, and hide malicious processes from user-space monitoring tools.

The deployment of an eBPF rootkit changes the threat profile of the compromise. Once kernel-level execution is achieved, traditional detection mechanisms running in user space can no longer be trusted to report the true state of the system.

Mitigation and Response

AUR maintainers have been actively working to identify and remove the compromised packages, but because the attack has shown shifting indicators, developers running Arch must verify their own environments.

If you have installed any of the affected packages, standard cleanup procedures are insufficient. Because the payload includes a potential rootkit, the integrity of the operating system is entirely compromised.

The recommended response protocol for affected systems includes:

1. Preserving the System: If forensic analysis is required by your organization, preserve the system state before taking it offline.
2. Credential Rotation: Immediately rotate all credentials, API keys, SSH keys, and session tokens that were stored on or accessed by the compromised machine.
3. Clean Reinstallation: Perform a complete, bare-metal reinstallation of the operating system. When a rootkit enters the kernel, system trust cannot be restored through simple package uninstallation.