Three malicious packages uploaded to the Arch User Repository (AUR) have been removed after they were found to install the Chaos Remote Access Trojan (RAT) on Linux systems. The compromised packages—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were submitted on July 16 by a user named danikpapas, and taken down two days later following alerts from the community.
“On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR,” AUR maintainers stated.
“Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).”
How the Attack Was Delivered Through AUR Packages
The Arch User Repository is a popular resource for Arch Linux users to publish package build scripts (PKGBUILDs) for software not officially included in the distribution. While powerful, the AUR lacks a formal review process, meaning users must independently review scripts before installation.
In this incident, all three packages contained a “patches” source entry in their PKGBUILD files that pointed to a GitHub repository under the attacker’s control:https://github.com/danikpapas/zenbrowser-patch.git
This repository was cloned as part of the build process, injecting malicious code during installation. The GitHub repository has since been deleted, and its .git history is no longer available for analysis.
Community Response and Malware Discovery
Shortly after the packages were uploaded, suspicious activity was noticed on Reddit. A long-dormant account began promoting the malicious packages in various Arch Linux-related threads. Community members flagged the posts, and one user uploaded the package to VirusTotal, which confirmed the presence of Chaos RAT.
Chaos RAT is an open-source remote access trojan designed for both Linux and Windows. Once installed, it grants attackers the ability to:
- Upload and download files
- Execute arbitrary system commands
- Open reverse shells
- Maintain persistent access via a Command and Control (C2) server
In this campaign, the malware connected to a C2 server hosted at 130.162[.]225[.]47:8080. It is frequently used in cryptocurrency mining operations but is also capable of data theft and espionage.
Impact and Mitigation Steps for Arch Linux Users
The Arch Linux team removed the malicious packages by July 18 at 6 PM UTC+2. Users who installed any of the three packages are strongly advised to check for signs of compromise.
“We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised,” stated the Arch Linux team.
A key indicator of infection is the presence of a suspicious executable named systemd-initd, often located in the /tmp directory. If found, it should be deleted immediately.
Although the threat was contained within two days, the incident underscores the security risks associated with community-contributed software repositories lacking code audits or formal vetting.
