Someone Slipped a RAT into Arch Linux!

A RAT, or remote access trojan, is a type of malware that lets attackers control a device from far away. Usually, RATs target Windows or macOS computers. But even Linux, which is known for being secure, is not completely safe from these kinds of threats.

A concerning case has popped up where malicious AUR packages on Arch Linux were found dropping CHAOS RAT onto user systems without their knowledge.

What's Happening: A user who goes by the name "danikpapas" uploaded three fake packages to the Arch User Repository (AUR)—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin.

They looked like browser-related tools, but when installed, they ran a script that downloaded CHAOS RAT, a remote access trojan. Once inside, it gives attackers full control of the system, allowing them to run commands, spy on the user, and drop more malware.

The packages were up for around two days. They were first posted on July 16, 2025, and shortly flagged and removed by Arch maintainers on July 18, 2025.

What Now: If you use Arch Linux or an Arch-based distribution, check if any of these packages are installed on your system. Run this command to see if they’re there:

pacman -Qs librewolf-fix-bin firefox-patch-bin zen-browser-patched-bin

If any show up, remove them immediately with:

sudo pacman -Rns <package-name>

As always, make sure your system is up to date and only install packages from trusted sources, particularly when using community-driven repositories like the AUR. Staying cautious helps keep your Linux setup safe.

Suggested Read 📖

What is Arch User Repository (AUR)? How to Use AUR on Arch and Manjaro Linux?

What is AUR in Arch Linux? How do I use AUR? Is it safe to use? This article explains it all.

It's FOSSDimitrios