Arch Linux Users Beware: Malicious AUR Packages Deployed CHAOS RAT Trojan
Three malicious scripts have been discovered in the Arch User Repository (AUR)—a community-driven repository for Arch Linux user packages—used to deploy the CHAOS RAT trojan. These scripts, uploaded by a user operating under the alias danikpapas, were disguised as packages for popular web browsers: librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin. The packages were added to AUR on July 16 and remained available for nearly two days before being taken down by the Arch Linux team following a community alert.
The scripts pointed to a GitHub repository that ostensibly contained browser patches. In reality, the repository hosted malicious code. During the installation process, the repository would be cloned and the payload executed as part of the build sequence. Although the repository has since been deleted, forensic traces remain—archives of all three packages were preserved and analyzed. It was determined that the malicious uploads began at 18:46 UTC.
Activity later surfaced on Reddit from an old, previously inactive account, which began promoting the compromised packages. Suspicion quickly mounted, prompting one vigilant user to submit a sample to VirusTotal. The service confirmed the presence of malware, identifying it as CHAOS RAT.
CHAOS RAT is an open-source remote access trojan compatible with both Windows and Linux systems. It enables remote command execution, file upload/download, and remote shell access. Once deployed, the malware connects to a command-and-control server and awaits instructions—effectively handing full control of the compromised machine to the attacker. In this case, the trojan connected to a remote server at IP address 130.162.225.47 on port 8080.
The malware is capable of covert cryptocurrency mining, data exfiltration, and cyber-espionage. Users who may have installed any of the affected packages are urged to immediately inspect their systems for an executable named systemd-initd within the /tmp directory and to delete it if found.
The Arch Linux team emphasizes that AUR lacks centralized auditing for new submissions, placing the burden of verification squarely on the community. Nevertheless, this incident underscores the critical importance of maintaining vigilance—even when installing packages that appear legitimate from trusted open-source platforms.
