Xylight‮Jul 18, 2025

[PSA] Malware distributed on the AUR

https://lemdro.id/post/25813192

[PSA] Malware distributed on the AUR

> On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT). > The affected malicious packages are: > - librewolf-fix-bin > - firefox-patch-bin > - zen-browser-patched-bin > The Arch Linux team addressed the issue as soon as they became aware of

Show threadUlrich

The affected malicious packages are:

librewolf-fix-bin firefox-patch-bin zen-browser-patched-bin

So…did someone just like create a new package cloning these or did they somehow get into the “official” repository? Is there no attestation process?

Jul 19, 2025 at 1:55amWeb
Show threadforbiddenlakeJul 19, 2025
Aur is completely user controlled, it is not official and not trusted. Someone just decided to use those names and upload something.
Show threadUlrichJul 19, 2025
Oof. Does this happen often?
Show threadtehn00biJul 19, 2025
It’s a known risk.
Show threadUlrichJul 19, 2025
Not what I asked.
Show threadjenesaisquoiJul 19, 2025
The frequency of this happening does not inform you of the risk. Because there is no attestation it could happen rarely for some time and then suddenly a lot. Or the inverse. No way to tell.
Show threadMentalEdgeJul 19, 2025
To be clear, they created new packages with these names. Anyone can make anything available on the AUR, but you cannot issue updates under someone elses existing package name.
Show threadMentalEdgeJul 19, 2025

To be clear, when projects distribute their software via the aur, someone else can’t just issue an update using their package name.

This person appended “fix” and “patched” to appear in searches next to legitimate packages, and seem worth installing instead.