In a significant security breach, attackers have compromised over 400 packages in the Arch User Repository (AUR), a community-driven repository for Arch Linux users. These malicious actors modified the build scripts of these packages to deploy a credential-stealing malware on systems that built them.
The malware, written in Rust, is designed to harvest sensitive developer information. When executed with root privileges, it can also install an eBPF rootkit to conceal its presence. It’s important to note that this attack is confined to the AUR and does not affect Arch Linux’s official repositories.
Understanding the AUR and the Nature of the Attack
The AUR is a platform where users share PKGBUILD scripts, facilitating the building and installation of software not included in the official Arch repositories. This community-driven approach relies heavily on trust, as users execute scripts provided by others.
In this incident, attackers exploited this trust by adopting orphaned packages—those without active maintainers—and altering their build instructions. They inserted commands to run npm install atomic-lockfile during the build process, which fetched a malicious npm package. This package contained a preinstall hook that executed a bundled Linux ELF binary named deps, initiating the malware deployment.
Malware Capabilities and Impact
Once executed, the malware targets a range of sensitive data, including:
- Cookies, tokens, and local storage from Chromium-based browsers like Chrome, Edge, and Brave.
- Session data from Electron applications such as Slack, Discord, and Microsoft Teams.
- Credentials and tokens from platforms like GitHub, npm, HashiCorp Vault, and OpenAI/ChatGPT.
- SSH keys, known_hosts files, and shell histories.
- Docker and Podman credentials, as well as VPN profiles.
The stolen data is exfiltrated over HTTP to a temporary storage service. For command and control, the malware utilizes a Tor onion service accessed via a local loopback proxy.
To maintain persistence, the malware installs a systemd service configured to restart always. Depending on the privileges, it places itself in system directories or user home directories and sets up corresponding systemd units. If executed with root privileges, it can load an eBPF rootkit to hide its processes and resist debugging attempts.
Mitigation and Recommendations
Users who installed or updated AUR packages on or after June 11 are advised to verify their systems against the list of affected packages. Merely removing the compromised AUR packages is insufficient, as the malware may have established persistence mechanisms. A thorough system audit and potential reinstallation may be necessary to ensure complete removal of the threat.
This incident underscores the inherent risks in community-driven repositories and the importance of vigilance when installing software from untrusted sources. Users should regularly review PKGBUILD scripts, monitor for unusual system behavior, and consider using sandbox environments for building packages.
As the open-source community continues to grapple with supply chain attacks, this event serves as a stark reminder of the need for robust security practices and the continuous vetting of community contributions.
