On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).
The affected malicious packages are:
- librewolf-fix-bin
- firefox-patch-bin
- zen-browser-patched-bin
The Arch Linux team addressed the issue as soon as they became aware of the situation. As of today, 18th of July, at around 6pm UTC+2, the offending packages have been deleted from the AUR.
We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.
Follow up
There are more packages with this malware found.
minecraft-crackedttf-ms-fonts-allvesktop-bin-patchedttf-all-ms-fonts
What to do
If you installed any of these packages, check your running processes for one named systemd-initd (this is the RAT).
The suspicious packages have a patch from this now-inaccessible Codeberg repo: https://codeberg.org/arch_lover3/browser-patch
The Arch maintainers have been informed of all this already and are investigating.
I kinda watch the Arch devs packaged more stuff rather then relying on thr aur,Chaotic-aur (third party repo) solves mostly.
The arch maintainers package more software than most other distributions. Some items they leave in the AUR by choice, if the Dev prefers it there. The key is to use the AUR sparingly and only if you trust the packager.
Ok thanks, I never knew they package more stuff on the stock repos.
Sorry, but I fail to see this.
I suppose if you’re accounting literally all independent distros, then you’re probably right. However, if we’d be more realistic and compare it to other well-established independent distros[1], then we notice that the vastness of the packages found in Arch’s repository is rather lackluster at the very least. Heck, by virtually all metrics, Arch together with its derivatives undoubtedly belong in the upper echelons of usage stats; only being second to the Debian-family of distros. IMO, however, the size of its repository absolutely doesn’t reflect this; as it’s only bigger than Slackware, Solus and Void. The inclusion of these smaller projects is arguably charitable on my side*. But to drive the point home very clearly: Arch’s repository is smaller than Alpine’s, Debian’s, Fedora’s, openSUSE’s and Gentoo’s with a ratio of (about) two to one (except for openSUSE).
I’m basically counting Alpine, Debian, Fedora, Gentoo, openSUSE, Slackware, Solus and Void. I didn’t count Guix System and NixOS for how their ‘repositories’ are built different and therefore not easily comparable to the others. ↩︎
I don’t know if raw package counts is the best. Unlike say Fedora, Arch bundles everything related to a project in the same file. If you want Qt6-base on Arch, that is one package. If you want it on Fedora, it is going to have a lib, header, docs, and maybe a few other packages.
Just from personal experience, I do not have issues with finding packages in the main repos, with only a handful of my packages coming from the AUR. This is not the case with others, like Fedora where extra repos need to be added, like EPEL and RPM Fusion.
Thank you for the quick response!
You’re probably right. Do you think we got anything better to go by?
Can’t comment on this. Though, the list of packages with qt6 in their name is considerably longer in Fedora. However, I wonder if this simply reflects that Fedora, by virtue of having a larger repository, also has more stuff related to qt6. Or, as you posited it, chooses to package the same content over multiple packages instead of bundling them like it’s supposedly happening on Arch.
Hmm…, I feel you might be conflating stuff. Please allow me to elaborate on what I mean.
Fedora is not able to include some packages in its own repository due to legal reasons. As such, these are relayed to RPM Fusion instead. Which means that a well-functioning Fedora installation (almost necessarily) desires to install some packages from RPM Fusion. So, RPM Fusion exists as a ‘hack’ of sorts to protect Fedora from legal charges and NOT because they’re too lazy (or something) to ship those packages themselves. To be clear, RPM Fusion is accepted as a trusted third-party repository.
Arch, on the other hand, is rather lenient on what they can include in their repositories. Basically enabling them to package within their repositories all codecs and whatnot without them being visibly worried about the legal consequences of this ordeal.
To be honest, I don’t know exactly where this discrepancy comes from. But I wouldn’t be surprised if it’s related to how Arch is basically a genuine community distro while Fedora has official ties to Red Hat.
Btw, small correction, AFAIK you’re not supposed to install packages from the EPEL on Fedora. Perhaps you meant COPR (basically Fedora’s AUR) or Terra instead?
I 100% agree. Everyone raves about the AUR but it really feels like more of a necessity than a value add because so little is actually packaged for arch. And the AUR is definitely more annoying and feels more jank than just having it in your default repo.