Malware Discovered in Arch Linux AUR Packages

If you are an Arch user, you know – AUR (Arch User Repository) is a double-edged sword—it’s incredibly useful but requires caution. Unfortunately, that caution was warranted yet again this week when three AUR packages were found to contain malware.

The issue came to light on July 16 when a user uploaded a malicious package, librewolf-fix-bin, to the AUR. Within hours, two more packages—firefox-patch-bin and zen-browser-patched-bin—followed, all traced back to the same bad actor.

Security researchers quickly identified the threat: a Remote Access Trojan (RAT) hidden in a script pulled from a GitHub repository. For those unfamiliar, a RAT is no joke—it can grant attackers full control over an infected system, enabling them to steal data, install additional malware, or spy on users.

Thankfully, the Arch Linux security team responded promptly as soon as they became aware of the issue. By July 18, all three malicious packages had been removed from AUR. However, if you installed any of these before they were removed, your system could still be at risk. So, what should you do?

• Remove them immediately—don’t wait.
• Check for signs of compromise—unusual network activity, unexpected processes, or unfamiliar files could be red flags.
• Consider a more thorough security sweep—malware like this can linger if not completely removed.

This isn’t the first time malicious packages have slipped into the AUR, and (probably) it won’t be the last. As you know, AUR is a community-driven repository that’s separate from the official Arch package sources. In other words, anyone can upload software to it.

Yes, it is an absolute goldmine for extra software and one of the biggest reasons people love Arch, with tens of thousands of packages to choose from. But as this shows, it does come with some risks. So, whenever you install something from AUR, just be sure to tread carefully.

For more information, here’s the message on Arch’s mailing list.