Edward Kiledjian's Threat Intel

Malicious AUR Packages Used to Spread CHAOS RAT on Arch Linux Systems

Three malicious packages uploaded to the Arch User Repository (AUR) — librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin — were found to install the CHAOS remote access trojan (RAT) on Linux systems. Uploaded by user danikpapas on July 16, these packages disguised malware within GitHub-linked patch scripts and were removed two days later following community reports. The scripts executed during installation established connections to a command-and-control server, enabling full remote access to infected machines.

The incident highlights ongoing risks in community-managed repositories like AUR, which lack formal package reviews. Reddit users helped expose the campaign after spotting suspicious promotional activity from a likely compromised account. CHAOS RAT enables file theft, command execution, and reverse shells, and is commonly associated with crypto-mining and espionage. Users who installed any of the packages are urged to remove them immediately and check for a rogue systemd-initd process in the /tmp directory.

www.bleepingcomputer.com/news/secu…