Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: arch-linux (2 articles)Clear

Over 400 Arch Linux AUR packages hijacked to drop stealer and rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.

Check
List AUR packages installed or updated since June 9 and diff their PKGBUILD and install scripts, flagging any that invoke npm, pip, or cargo for no clear reason.
Affected
Arch Linux and Arch-based systems where AUR packages were installed or updated on or after June 9 via helpers like yay or paru; root installs also expose an eBPF rootkit.
Fix
Remove affected packages and rotate all credentials, SSH keys, tokens, and wallets from the host. If a package ran as root, rebuild the machine; the rootkit makes in-place cleanup untrustworthy.

PinTheft Arch Linux LPE: RDS zerocopy double-free turned into io_uring page-cache overwrite, PoC released

The V12 security team has released a working PoC for PinTheft, a Linux kernel local privilege escalation tied to a double-free in the RDS (Reliable Datagram Sockets) zerocopy send path that can be turned into a page-cache overwrite through io_uring fixed buffers. The bug was patched earlier in May but has no assigned CVE yet. Exploitation requires the RDS module to be loaded - default only on Arch Linux among the major distributions - plus io_uring enabled and a readable SUID-root binary. PinTheft joins DirtyDecrypt, Dirty Frag, Fragnesia, and Copy Fail in a recent run of Linux LPE disclosures.

Check
Inventory Arch Linux hosts with `pacman -Q linux`. Check if RDS is loaded via `lsmod | grep rds`. Look for unexpected root shells from low-privilege users in audit logs since 2026-05-20.
Affected
Linux kernels with the RDS module enabled (default only on Arch Linux among common distros) plus io_uring enabled and a readable SUID-root binary. PoC tested on x86_64.
Fix
Apply the latest Arch Linux kernel update. Temporary mitigation: `rmmod rds_tcp rds` and blacklist via /etc/modprobe.d/pintheft.conf. Audit io_uring usage and consider raising its sysctl restrictions.