Security researchers discovered that threat actors had uploaded three corrupted browser packages, firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin, to the Arch User Repository (AUR). A security advisory was issued, urging users to search for the infected packages via pacman -Q firefox-patch-bin and related names, uninstall them, and inspect /etc/systemd/system/rat-agent.service for removal. These packages appeared to be benign forks of popular Firefox-based browsers but secretly installed a Remote Access Trojan (RAT) by pulling and executing a script from a malicious GitHub repository. According to the advisory, The Arch Linux security team revoked the maintainer’s privileges and purged the malicious entries from the AUR by July 18 at 18:00 UTC+2. Security best practices such as verifying PGP signatures on AUR submissions, leveraging arch-audit for vulnerability scans, and confining AUR builds to isolated containers can mitigate future supply chain threats. Users who installed any of these packages are urged to verify integrity, rotate credentials, and perform forensic checks for indicators of compromise. Late on July 16 at approximately 20:00 UTC+2, the first of the three tainted packages, firefox-patch-bin, was uploaded under the maintainer handle dlagents to the AUR. Users who believe they installed any of the compromised packages should immediately remove them and audit their systems for the aforementioned persistence artifacts. Fake Firefox AUR packages downloaded and executed a Remote Access Trojan from GitHub.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 23 Jul 2025 10:35:10 +0000