[SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware - Aur-general - lists.archlinux.org
lists.archlinux.org

On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).

The affected malicious packages are:

  • librewolf-fix-bin
  • firefox-patch-bin
  • zen-browser-patched-bin

The Arch Linux team addressed the issue as soon as they became aware of the situation. As of today, 18th of July, at around 6pm UTC+2, the offending packages have been deleted from the AUR.

We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.

Follow up

There are more packages with this malware found.

  • minecraft-cracked
  • ttf-ms-fonts-all
  • vesktop-bin-patched
  • ttf-all-ms-fonts

What to do

If you installed any of these packages, check your running processes for one named systemd-initd (this is the RAT).

The suspicious packages have a patch from this now-inaccessible Codeberg repo: https://codeberg.org/arch_lover3/browser-patch

The Arch maintainers have been informed of all this already and are investigating.

  • pyssla@quokk.auEnglish
    2·
    16 hours ago

    Thank you for the quick response!

    I don’t know if raw package counts is the best comparison.

    You’re probably right. Do you think we got anything better to go by?

    Unlike say Fedora, Arch bundles everything related to a project in the same file. If you want Qt6-base on Arch, that is one package. If you want it on Fedora, it is going to have a lib, header, docs, and maybe a few other packages.

    Can’t comment on this. Though, the list of packages with qt6 in their name is considerably longer in Fedora. However, I wonder if this simply reflects that Fedora, by virtue of having a larger repository, also has more stuff related to qt6. Or, as you posited it, chooses to package the same content over multiple packages instead of bundling them like it’s supposedly happening on Arch.

    Just from personal experience, I do not have issues with finding packages in the main repos, with only a handful of my packages coming from the AUR. This is not the case with others, like Fedora where extra repos need to be added, like EPEL and RPM Fusion.

    Hmm…, I feel you might be conflating stuff. Please allow me to elaborate on what I mean.

    Fedora is not able to include some packages in its own repository due to legal reasons. As such, these are relayed to RPM Fusion instead. Which means that a well-functioning Fedora installation (almost necessarily) desires to install some packages from RPM Fusion. So, RPM Fusion exists as a ‘hack’ of sorts to protect Fedora from legal charges and NOT because they’re too lazy (or something) to ship those packages themselves. To be clear, RPM Fusion is accepted as a trusted third-party repository.

    Arch, on the other hand, is rather lenient on what they can include in their repositories. Basically enabling them to package within their repositories all codecs and whatnot without them being visibly worried about the legal consequences of this ordeal.

    To be honest, I don’t know exactly where this discrepancy comes from. But I wouldn’t be surprised if it’s related to how Arch is basically a genuine community distro while Fedora has official ties to Red Hat.

    Btw, small correction, AFAIK you’re not supposed to install packages from the EPEL on Fedora. Perhaps you meant COPR (basically Fedora’s AUR) or Terra instead?