Some AUR packages were uploaded containing malware (2025-07-18)

Notices
1

This message has been posted in Archlinux security list:

On the 16th of July, at around 8pm UTC+2, a malicious AUR package was
uploaded to the AUR. Two other malicious packages were uploaded by the
same user a few hours later. These packages were installing a script
coming from the same GitHub repository that was identified as a Remote
Access Trojan (RAT).

The affected malicious packages are:

  • librewolf-fix-bin
  • firefox-patch-bin
  • zen-browser-patched-bin

The Arch Linux team addressed the issue as soon as they became aware of
the situation. As of today, 18th of July, at around 6pm UTC+2, the
offending packages have been deleted from the AUR.

We strongly encourage users that may have installed one of these
packages to remove them from their system and to take the necessary
measures in order to ensure they were not compromised.

Note to the forum editors: I chose this category instead of the members category so the information can reach more people. Feel free to move it to a more suitable place if necessary.

14 Likes
2

It’s not Non-technical Questions material, so I’ve moved it to Notices. :wink:

3 Likes
3

Yes, I know Non-technical Questions it’s not the right place, but I can’t post to Notices :wink:

2 Likes
4

Which is why I’ve moved it there. :stuck_out_tongue:

4 Likes
5

Thanks @andreas85, it seems I don’t know what year I live in :joy:

4 Likes
6

Why, it’s September 1993, of course! :stuck_out_tongue:

5 Likes
7

Ayuh. I was the first to submit deletion requests for a couple of those packages. Folks never seem to search first as there’s now several duplicate deletion requests. :facepalm:

The internet is full. Go away!1 :stuck_out_tongue_winking_eye:

1 I want that T-Shirt :grin:

7 Likes
8 
Error: filesystem /earth is full.  Delete some users.

:crazy_face:

7 Likes
9

Almost honest; librewolf got ‘fix’ and firefox/zen got ‘patch’… and this highly intelligent individual then advertised their work on reddit: https://www.reddit.com/r/archlinux/comments/1m30py8/aur_is_so_awesome/

AUR’s awesome because we can get Plex-HTPC :stuck_out_tongue:

Apparently, these were fishing for people with screen-tearing or whatever… hikek58184 commented on 2025-07-16 20:25 (UTC) nice, this fixed my rendering issues

3 Likes
10

Apparently there were a few more:

  • minecraft-cracked
  • ttf-ms-fonts-all
  • vesktop-bin-patched
  • ttf-all-ms-fonts

Update: The AUR packages are now all deleted and the user is permanently suspended. It appears the related GitHub and Reddit accounts are now deleted as well.

8 Likes
11

:wave:

Can I post a similar topic in a Brazilian Linux community I often visit called Diolinux Plus?

:vulcan_salute:

12

I’m sure it might be of interest to anyone who uses the AUR; that potentially includes users of all Arch Linux based distributions.

3 Likes
13

Thank you very much, soundofthunder. Post has been created on the mentioned Forum.

1 Like