Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices.
The packages were named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," and were uploaded by the same user, "danikpapas," on July 16.
The packages were removed two days later by the Arch Linux team after being flagged as malicious by the community.
"On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR," warned the AUR maintainers.
"Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT)."
One of the malicious AUR packages
Source: BleepingComputer
The AUR is a repository where Arch Linux users can publish package build scripts (PKGBUILDs) to automate the process of downloading, building, and installing software that is not included with the operating system.
However, like many other package repositories, the AUR has no format review process for new or updated packages, making it the user's responsibility to review the code and installation scripts before building and installing the package.
Although all the packages have now been removed, BleepingComputer found archived copies of all three, indicating that the threat actor began submitting the packages at 18:46 UTC on July 16.
... continue reading