Three malicious packages on the Arch User Repository (AUR) installed the CHAOS remote access trojan (RAT) on Linux systems. The packages, uploaded by “danikpapas” on July 16, included:
librewolf-fix-binfirefox-patch-binzen-browser-patched-bin
They stayed live for two days before Arch Linux removed them, following community reports.
How the Attack Happened
The AUR lets users share PKGBUILD scripts for easy package builds. However, these scripts had a patches entry pointing to a GitHub repo controlled by the attacker:
During installation, this repo was cloned. Instead of patches, it delivered malware executed during the build, infecting systems with CHAOS RAT.
A Reddit account later promoted these packages in Arch Linux threads. Users found this suspicious and uploaded files to VirusTotal, which flagged the malware.
What Is CHAOS RAT?
CHAOS RAT is an open-source trojan for Windows and Linux. It allows attackers to:
Upload or download files
Run commands
Open a reverse shell
This gives attackers full control over infected devices.
How to Stay Safe
Users can protect themselves by:
Checking PKGBUILD files before installing AUR packages
Avoiding packages promoted by untrusted accounts
Testing AUR builds in a sandbox environment
This incident shows why Arch users should always review and verify AUR packages before installing them.
Open-source ecosystems provide great flexibility, but they come with risks if users skip due diligence. The Arch Linux community acted quickly to remove these malicious packages, but it’s up to users to verify what they install.
By taking simple precautions, you can continue to enjoy the freedom of Arch Linux without compromising your system’s security.