Arch Linux pulls AUR packages that installed Chaos RAT malware

Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The AUR is a repository where Arch Linux users can publish package build scripts (PKGBUILDs) to automate the process of downloading, building, and installing software that is not included with the operating system. "We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised," warned the Arch Linux team. However, like many other package repositories, the AUR has no format review process for new or updated packages, making it the user's responsibility to review the code and installation scripts before building and installing the package. The packages were removed two days later by the Arch Linux team after being flagged as malicious by the community. Arch users on Reddit quickly found the comments suspicious, with one of them uploading one of the components to VirusTotal, which detects it as the Linux malware called CHAOS RAT. Although all the packages have now been removed, BleepingComputer found archived copies of all three, indicating that the threat actor began submitting the packages at 18:46 UTC on July 16. However, a Reddit account began responding to various Arch Linux threads on the platform today, promoting these packages on the AUR. CHAOS RAT is an open-source remote access trojan (RAT) for Windows and Linux that can be used to upload and download files, execute commands, and open a reverse shell. Due to the severity of the malware, anyone who has mistakenly installed these packages should immediately check for the presence of a suspicious "systemd-initd" executable running on their computer, which may be located in the /tmp folder. The comments were posted by an account that appears to have been dormant for years and likely compromised to spread the malicious packages.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 18 Jul 2025 21:15:18 +0000

Cyber News related to Arch Linux pulls AUR packages that installed Chaos RAT malware

Arch Linux pulls AUR packages that installed Chaos RAT malware - Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The AUR is a repository where Arch Linux users can publish package build scripts ...
2 months ago Bleepingcomputer.com

Hackers Injected Malicious Firefox Browser Packages to Arch Linux User Repository - Security researchers discovered that threat actors had uploaded three corrupted browser packages, firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin, to the Arch User Repository (AUR). A security advisory was issued, urging users to ...
2 months ago Cybersecuritynews.com

CVE-2021-47341 - In the Linux kernel, the following vulnerability has been resolved: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec ...
1 year ago Tenable.com

The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
1 year ago Cyberdefensemagazine.com

Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
1 year ago Cysecurity.news

CVE-2024-40953 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago

Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
1 year ago Securelist.com

CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago

CVE-2024-46763 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago

Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
1 year ago Darkreading.com

Chaos Mesh Fixes CVEs in Cluster Chaos Code - Chaos Mesh, a popular chaos engineering platform for Kubernetes, recently addressed multiple critical vulnerabilities in its cluster chaos code. These CVEs could allow attackers to disrupt cluster operations or escalate privileges, posing significant ...
2 weeks ago Infosecurity-magazine.com CVE-2023-XXXX CVE-2023-YYYY

CVE-2024-40954 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago

Microsoft: New RAT malware used for crypto theft, reconnaissance - Last but not least, Microsoft says StilachiRAT allows command execution and potential SOCKS-like proxying using commands from a command-and-control (C2) server to the infected devices, which can let the threat actors reboot the compromised system, ...
6 months ago Bleepingcomputer.com

A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets - A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in ...
1 year ago Darkreading.com

CVE-2024-53195 - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Get rid of userspace_irqchip_in_use Improper use of userspace_irqchip_in_use led to syzbot hitting the following WARN_ON() in kvm_timer_update_irq(): WARNING: CPU: 0 PID: ...
9 months ago Tenable.com

CVE-2025-38117 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago

CVE-2025-37780 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
6 months ago Cybersecuritynews.com

CVE-2021-47092 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago

SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities - The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and ...
1 year ago Thehackernews.com CVE-2023-38831 APT3 SideCopy Transparent Tribe

Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov

Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov

FBI seizes Warzone RAT infrastructure, arrests malware vendor - The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. Daniel Meli, 27, a resident of Malta, was arrested last week for his role in the proliferation of ...
1 year ago Bleepingcomputer.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

Any.RUN Sandbox Now Expanded to Analyze Linux Malware - The ANY.RUN sandbox has now been updated with support for Linux, further enhancing its ability to provide an isolated and secure environment for malware analysis and threat hunting. ANY.RUN allows malware analysts, SOC members, and DFIR team members ...
1 year ago Gbhackers.com

Arch Linux pulls AUR packages that installed Chaos RAT malware

Cyber News related to Arch Linux pulls AUR packages that installed Chaos RAT malware

Latest Cyber News

Cyber Trends (last 7 days)

Trending Cyber News (last 7 days)