diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml
index 567398f5f..bc057c28f 100644
--- a/ansible/tasks/clean-build-dependencies.yml
+++ b/ansible/tasks/clean-build-dependencies.yml
@@ -19,3 +19,40 @@
       - patch
       - python2
     state: 'absent'
+
+# Security hardening: remove packages that increase attack surface
+# - Compiler toolchain enables local exploit compilation
+# - Dev packages provide headers for building exploits
+# - salt-minion is a remote management agent (large attack surface)
+# - sshpass stores credentials in plaintext
+- name: Remove high-security-risk packages
+  ansible.builtin.apt:
+    autoremove: true
+    pkg:
+      # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it)
+      - binutils
+      - binutils-aarch64-linux-gnu
+      - binutils-common
+      # Dev/header packages
+      - libc6-dev
+      - libcrypt-dev
+      - libevent-dev
+      - libpcre3-dev
+      - libssl-dev
+      - libsystemd-dev
+      - linux-headers-aws
+      - linux-libc-dev
+      - pkg-config
+      - pkgconf
+      - pkgconf-bin
+      - rpcsvc-proto
+      - systemd-dev
+      - zlib1g-dev
+      # Remote management (if not used)
+      - salt-minion
+      - salt-common
+      # Credential handling
+      - sshpass
+      # Build tool leftovers
+      - ansible-core
+    state: 'absent'
diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh
index e6a585001..3e055561b 100644
--- a/scripts/90-cleanup-qemu.sh
+++ b/scripts/90-cleanup-qemu.sh
@@ -38,7 +38,9 @@ elif [ -n "$(command -v apt-get)" ]; then
 	ansible \
         snapd
 
-  add-apt-repository --yes --remove ppa:ansible/ansible
+  # Remove ansible PPA directly (software-properties-common may not be installed)
+  rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \
+        /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true
 
   source /etc/os-release
 
diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh
index 644e5f7f6..eaa338f14 100644
--- a/scripts/90-cleanup.sh
+++ b/scripts/90-cleanup.sh
@@ -36,7 +36,9 @@ elif [ -n "$(command -v apt-get)" ]; then
 	libgcc-9-dev \
  	ansible
 
-  add-apt-repository --yes --remove ppa:ansible/ansible
+  # Remove ansible PPA directly (software-properties-common may not be installed)
+  rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \
+        /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true
 
   source /etc/os-release