Mastodawn

[PSA] Malware distributed on the AUR

https://lemdro.id/post/25813192

[PSA] Malware distributed on the AUR

> On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT). > The affected malicious packages are: > - librewolf-fix-bin > - firefox-patch-bin > - zen-browser-patched-bin > The Arch Linux team addressed the issue as soon as they became aware of

Tundra Jul 18, 2025

this is going to increase in frequency as linux gains popularity

DirkMcCallahan Jul 18, 2025

This is why I felt uncomfortable when I first switched to Linux and kept reading that I didn’t need to worry about viruses as long as I didn’t click on dodgy links and only installed from trusted sources. I’m sure I’m betraying my lack of security knowledge here, but that always seemed a bit too easy.

bacon_pdp Jul 19, 2025

Only for distributions which don’t do reproducible builds and require full and complete corresponding source code under an FSF approved license.

If you choose to download binary blobs, good fucking luck.

Elvith Ma'for Jul 19, 2025

As if everyone were to read every single line of source code, though. This just increases the chances of it being discovered.

Ulrich Jul 19, 2025

The affected malicious packages are:

librewolf-fix-bin firefox-patch-bin zen-browser-patched-bin

So…did someone just like create a new package cloning these or did they somehow get into the “official” repository? Is there no attestation process?

forbiddenlake Jul 19, 2025

Aur is completely user controlled, it is not official and not trusted. Someone just decided to use those names and upload something.

Ulrich Jul 19, 2025

Oof. Does this happen often?

tehn00bi Jul 19, 2025

It’s a known risk.

Ulrich Jul 19, 2025

Not what I asked.

jenesaisquoi Jul 19, 2025

The frequency of this happening does not inform you of the risk. Because there is no attestation it could happen rarely for some time and then suddenly a lot. Or the inverse. No way to tell.

MentalEdge Jul 19, 2025

To be clear, they created new packages with these names. Anyone can make anything available on the AUR, but you cannot issue updates under someone elses existing package name.

MentalEdge Jul 19, 2025

To be clear, when projects distribute their software via the aur, someone else can’t just issue an update using their package name.

This person appended “fix” and “patched” to appear in searches next to legitimate packages, and seem worth installing instead.

Jolteon Jul 19, 2025

To be fair the AUR is known to be very susceptible to that kind of thing due to the effective absence of entry requirements.

MentalEdge Jul 19, 2025

Absolutely.

The Arch User Repository is a way for anyone to easily distribite software.

Hence it has never been secure, and rather than claim it is, you mostly see people and documentation warn you about this, and to be careful if using it.

Any schmuck can make whatever they want available via the AUR. That’s how even the tiniest niche project can often be installed via the AUR. But you trade in some security for that convenience.

HaraldvonBlauzahn Jul 19, 2025

Wait what happens once some government or state actor hacks rust’s install script rustup with its curl | bash install procedure and relying on TLS certificates which are e.g. issued by the Russian government. (No, the rust project won’t use a Russian/Chinese/US Gov certificate but your browser will trust near all of them…)

Ephera Jul 19, 2025

You’re using that to download a program. If they can MitM the shell script, they can just as well MitM the program that you’ll run right after the download…

JackbyDev Jul 19, 2025

This is why we invented hash checking. Good thing they can’t MITM where that’s stored! /s