Xylight‮Jul 18, 2025

[PSA] Malware distributed on the AUR

https://lemdro.id/post/25813192

[PSA] Malware distributed on the AUR

> On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT). > The affected malicious packages are: > - librewolf-fix-bin > - firefox-patch-bin > - zen-browser-patched-bin > The Arch Linux team addressed the issue as soon as they became aware of

Show threadUlrichJul 19, 2025

The affected malicious packages are:

librewolf-fix-bin firefox-patch-bin zen-browser-patched-bin

So…did someone just like create a new package cloning these or did they somehow get into the “official” repository? Is there no attestation process?

Show threadforbiddenlakeJul 19, 2025
Aur is completely user controlled, it is not official and not trusted. Someone just decided to use those names and upload something.
Show threadUlrichJul 19, 2025
Oof. Does this happen often?
Show threadtehn00bi
It’s a known risk.
Jul 19, 2025 at 4:44amWeb
Show threadUlrichJul 19, 2025
Not what I asked.
Show threadjenesaisquoiJul 19, 2025
The frequency of this happening does not inform you of the risk. Because there is no attestation it could happen rarely for some time and then suddenly a lot. Or the inverse. No way to tell.