1,500 AUR Packages Injected with eBPF Rootkit via Orphaned PKGBUILDs
Atomic Arch exploited AUR's orphan package maintenance gaps to reach 1,500 entries with kernel-resident credential theft. Evidence trails point to deliberate escalation from NPM to eBPF persistence. Systemic open-source repo trust assumptions remain the core unresolved risk.
AUR's trust model relies on volunteer maintainers without mandatory ownership renewal, creating a standing attack surface larger than official repositories. The 1,500-package count exceeds recent PyPI and Red Hat NPM incidents combined, yet lacks CVE tracking or coordinated disclosure. Reopening registrations without automated orphan detection will likely trigger renewed waves within a week. Rebuild-from-media guidance from responders indicates standard AV is insufficient against the eBPF layer.
Arch Linux: Malicious package submissions will resume within 72 hours of signup reopening if orphan expiry policy is not enforced.
Sources (3)
- [1]Sonatype Atomic Arch Campaign Report(https://blog.sonatype.com/atomic-arch-supply-chain)
- [2]Arch Linux AUR Suspension Notice(https://archlinux.org/news/aur-registration-suspended)
- [3]StepSecurity Atomic Rootkit Analysis(https://www.stepsecurity.io/blog/atomic-arch-ebpf)