Más de 400 paquetes en el repositorio Arch Linux distribuyen un rootkit y un troyano blog.segu-info.com.ar/2026/0…
1
Vince Gaff retweeted
🦔 📹 Poison X kernel mode rootkit analysis
➡️ kernel mode driver theory
➡️ Ghidra markup
➡️ basic string deobfuscation
#MalwareAnalysisForHedgehogs
youtube.com/watch?v=yx6AbXlO…
1
8
35
1,731
【サイバーセキュリティ動向分析】
トレンドのセキュリティニュース(2026年6月14日時点)
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
thehackernews.com/2026/06/cr…
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
thehackernews.com/2026/06/us…
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
thehackernews.com/2026/06/ov…
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
thehackernews.com/2026/06/go…
ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft
cybersecuritydive.com/news/s…
Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
darkreading.com/vulnerabilit…
Anthropic disables new models after government calls them a national security concern
cyberscoop.com/us-government…
CISA Adds Known Exploited Vulnerabilities (Oracle PeopleSoftなど)
cisa.gov/news-events/cyberse…
Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
securityweek.com/google-conf…
Ivanti Sentry Exploitation Attempts Hitting Honeypots
securityweek.com/ivanti-sent…
主なトレンド:AI関連規制・モデル制限、Oracle PeopleSoft / Ivantiなどのゼロデイ/早期悪用、サプライチェーン攻撃(Arch Linuxなど)、CISA KEV追加 が活発です。
詳細は上記URLから直接確認してください。
CISA KEVリストの詳細
79
Plusieurs milliers de paquets AUR détournés en quelques jours via adoption de paquets orphelins. La campagne Atomic Arch injecte un credential stealer Rust rootkit eBPF via une dépendance npm.
cryptolab.re/posts/2026/atom…
#ArchLinux #AUR #sécurité #supplychain
22
"More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens."
Autistic genius me who never runs AUR packages built by lamers:
1
23
【サイバーセキュリティ動向分析】
トレンドのセキュリティニュース(2026年6月14日時点)
Anthropicが最新AIモデル(Fable 5 / Mythos 5)をオフラインに。輸出規制対応で外国人のアクセス制限。
thehackernews.com/
cyberscoop.com/us-government…
ShinyHuntersがOracle PeopleSoftのクリティカル脆弱性を悪用し、教育機関などを標的にデータ窃取・恐喝。
thehackernews.com/
reuters.com/legal/government…
security-next.com/185824
Arch Linux AURパッケージ400以上が乗っ取られ、infostealerとeBPF rootkitを配布するサプライチェーン攻撃。
thehackernews.com/
bleepingcomputer.com/
Chrome V8ゼロデイ(CVE-2026-11645)が野放しで悪用中。早急パッチ適用を。
thehackernews.com/
NPM 12で依存関係のスクリプト実行挙動変更、サプライチェーン攻撃防止強化。
securityweek.com/
CISAが複数Known Exploited Vulnerabilities(KEV)をカタログ追加。
cisa.gov/news-events/cyberse…
OpenSSLに18件の脆弱性修正(AI発見の危険なもの含む)。
security-next.com/
Microsoft 6月パッチで過去最多198件脆弱性修正(ゼロデイ3件含む)。
japan.zdnet.com/security/
FBIが中国拠点の大規模サイバー犯罪ネットワーク摘発(被害19億ドル規模)。
cyberscoop.com/
サイバー保険料低下傾向も除外条項拡大、AI脅威対応の規制強化。
darkreading.com/
118
💾 the Poison X Rootkit: A Step-by-Step Kernel Driver Analysis with Ghidra and Emulation Video
undercodetesting.com/the-poi…
Educational Purposes!
2
Update: the Arch Linux AUR supply chain attack just got much worse.
When I posted earlier, around 400 packages were compromised.
Now it's reportedly over 1,500.
The malware isn't just stealing credentials.
It's targeting developers by harvesting:
• SSH keys
• GitHub tokens
• npm credentials
• Browser sessions
• Slack, Discord & Teams accounts
• VPN configurations
And on privileged systems, it can reportedly deploy an eBPF rootkit to hide from security tools.
This is quickly becoming one of the largest AUR compromises ever seen.
If you're an Arch user, now would be a good time to audit your recent AUR installs.
Jun 13
Over 400 Arch Linux AUR packages were just compromised.
And this is a reminder that open source doesn't automatically mean secure.
Attackers reportedly hijacked package maintenance and injected malware capable of:
• Stealing GitHub credentials
• Extracting SSH keys
• Harvesting browser cookies
• Accessing Slack, Discord & Teams data
• Collecting VPN credentials
• Deploying an eBPF rootkit
The scary part?
Many developers install AUR packages without reviewing every PKGBUILD.
Affected systems may have exposed:
• GitHub tokens
• npm credentials
• Docker & Podman secrets
• HashiCorp Vault tokens
• SSH artifacts
• Browser session data
If you're running Arch or an Arch-based distro and recently installed AUR packages:
• Audit installed packages
• Check for indicators of compromise
• Rotate credentials immediately
• Consider a clean reinstall if rootkit activity is suspected
This isn't an Arch Linux problem.
It's a software supply chain problem.
One compromised package can put thousands of developer machines at risk.
Do you review PKGBUILDs before installing AUR packages, or do you trust the community by default?
1
5
45
2,802
herrcore retweeted
Jun 13
I submitted a new sample to samplepedia.cc
PoisonX rootkit.
Video solution follows the next days.
samplepedia.cc/sample/db5d28…
1
7
36
1,462
Malware Analysis - PoisonX rootkit, Kernel driver rootkit markup in Ghidra ift.tt/Kqh0MRi
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Co…
1
23
Also if you do not plan to wipe your OS if you do not think its a deep infection, download malwarebytes and run the rootkit detection option, as well as windows defender offline scan to see if anything is actually deeply embedded in the system.
8
Over 400 #Arch_Linux AUR Packages #Hijacked to Deploy #Infostealer and #eBPF #Rootkit
buff.ly/7p245rE
12