[SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware - Aur-general - lists.archlinux.org
lists.archlinux.org

On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).

The affected malicious packages are:

  • librewolf-fix-bin
  • firefox-patch-bin
  • zen-browser-patched-bin

The Arch Linux team addressed the issue as soon as they became aware of the situation. As of today, 18th of July, at around 6pm UTC+2, the offending packages have been deleted from the AUR.

We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.

According to the gamingonlinux discord, the following packages are also suspected to be compromised:

https://aur.archlinux.org/pkgbase/minecraft-cracked/

https://aur.archlinux.org/pkgbase/ttf-ms-fonts-all/

https://aur.archlinux.org/pkgbase/vesktop-bin-patched/

https://aur.archlinux.org/pkgbase/ttf-all-ms-fonts/

If you have any of these packages installed, immediately delete it and check your system processes for a process called systemd-initd (this is the RAT).

Here is an analysis of the malicious payload: https://www.virustotal.com/gui/file/d9f0df8da6d66aaae024bdca26a228481049595279595e96d5ec615392430d67

  • ArtixCory@lemmy.mlEnglish
    1·
    8 hours ago

    What am I making up? That most AUR packages don’t have a .install file? You couldn’t be bothered to say what I got wrong or provide any evidence to back it up so I can only assume. But if you have issue with me speculating about how common .install files are in the AUR, fine. Here are some numbers.

    Out of the 2500 packages I analyzed, only 19.08% of them had an install list in their PKGBUILD. One could very easily use the AUR and never, and I quote, “literally [execute] random shell scripts by strangers as root.”

    I also dug deeper regarding your claim that install files “don’t have to be explicitly mentioned in the PKGBUILD if it shares the same name as the package.” I can’t find any evidence of that. It doesn’t have to be listed in the sources, which is probably what you meant.

    Clearly these couldn’t be the things I’m wrong about, so I await your careful clarification.