Developers of Arch Linux discovered three malicious packages in the Arch User Repository (AUR). These packages were used to install the Chaos remote access trojan (RAT) on Linux devices.
The packages were named librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin, and were uploaded by the user danikpapas on July 16, 2025. The packages were removed from the repository two days later, after the community flagged them as malicious.
“On July 16, a malicious package was uploaded to AUR,” warn the AUR maintainers. “Two more malicious packages were uploaded by the same user a few hours later. These packages executed a script from a repository on GitHub, which was identified as a remote access Trojan (RAT).”
As with many other package repositories, there is no formal procedure for reviewing new or updated packages in the AUR. This means that users should independently review the code and installation scripts before building and installing a package.
Although the packages have now been removed, Bleeping Computer examined their archived copies. The PKGBUILD file of all the packages contained a source entry with the name patches, which pointed to a GitHub repository controlled by the attacker: https://github.com/danikpapas/zenbrowser-patch[.]git.
During the processing of PKGBUILD, this repository is cloned and considered as part of the package update and build process. However, instead of a patch, the repository on GitHub contained malicious code that was executed during the build or installation phase. Currently, this repository has been removed from GitHub, and the .git is no longer available for analysis.
The publication also notes that the malware was attempted to be promoted on Reddit through responses to various topics related to Arch Linux (where malicious packages in AUR were promoted in the messages). Comments were posted from an account that had been inactive for many years and was likely compromised and used for “advertising” the malware.
Arch users on Reddit immediately found the comments suspicious, uploaded one of the components to VirusTotal, and discovered Chaos RAT in it.
Chaos RAT is an open-source remote access trojan for Windows and Linux. It can be used for uploading and downloading files, executing commands, and opening a reverse shell. As a result, attackers gain full access to the infected device.
This Trojan is often used in campaigns to distribute cryptocurrency miners, as well as for collecting credentials, stealing information, or espionage.
In this case, after installation, the malware repeatedly connected to the command server 130.162[.]225[.]47:8080, waiting for commands.
“We strongly recommend that users who may have installed any of these packages remove them from their system and take necessary measures to ensure they have not been compromised,” warns the Arch Linux team.
In particular, it is recommended to immediately check for the presence of a suspicious executable file named systemd-initd, which may be located in the /tmp directory. If the file is found, it should be deleted.
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →