More than 400 AUR packages were weaponized with malicious install scripts that deploy an eBPF rootkit and credential harvester targeting SSH keys, cloud secrets, container credentials, and messaging session tokens on developer workstations. No CVE applies; the attack exploits the AUR community trust model. Any organization with developers running Arch Linux should treat this as an active supply chain compromise requiring immediate workstation isolation and full credential rotation.