Key Findings Over 400 packages in the Arch User Repository (AUR) were hijacked this week with malicious build scripts Attackers modified PKGBUILD files to inject a credential stealer written in Rust that harvests developer secrets The malware can load an eBPF rootkit when running with root privileges to hide its presence Attack targets orphaned packages with abandoned maintainers, then spoofs commit metadata to appear legitimate Malware collects browser cookies, SSH keys, Git