BURSTSecurity researchers discovered that threat actors had uploaded three corrupted browser packages, firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin, to the Arch User Repository (AUR).
These packages appeared to be benign forks of popular Firefox-based browsers but secretly installed a Remote Access Trojan (RAT) by pulling and executing a script from a malicious GitHub repository.
The Arch Linux team removed the offending packages within 48 hours of their initial upload, but not before an unknown number of systems could have been compromised.
Key Takeaways
1. Fake Firefox AUR packages downloaded and executed a Remote Access Trojan from GitHub.
2. The RAT installed a systemd service creating encrypted reverse shells on port 443.
3. Arch Linux removed the packages and urged users to uninstall and check for rat-agent.service.
Users who installed any of these packages are urged to verify integrity, rotate credentials, and perform forensic checks for indicators of compromise.
Malicious AUR Packages Discovered
Late on July 16 at approximately 20:00 UTC+2, the first of the three tainted packages, firefox-patch-bin, was uploaded under the maintainer handle dlagents to the AUR.
This PackageBuild contained a modified install() function that downloaded a shell script from https://raw.githubusercontent.com/dlagents/rat-scripts/main/install.sh and executed it with root privileges. The post-install hook included:
A few hours later, two sibling packages—librewolf-fix-bin and zen-browser-patched-bin—appeared, each embedding identical RAT installation logic yet masquerading as fixes for mainstream privacy-focused forks of Firefox.
The community quickly flagged these uploads after download counts spiked unusually, triggering an automated alert on anomalous build scripts.
Initial forensic analysis showed that the downloaded install.sh script established persistence by placing a systemd unit file at /etc/systemd/system/rat-agent.service and invoking it immediately:
Upon execution, rat-agent opened a reverse shell on TCP port 443, proxying traffic through an obfuscated WebSocket tunnel to evade straightforward detection.
The binary itself employed common packing techniques, stripping debug symbols and employing AES-128-CBC to encrypt its configuration block, which contained command-and-control (C2) endpoints.
Indicators of compromise included unexpected outbound connections to rat-dns.example.com and creation of ~/.cache/rat/agent.log.
According to the advisory, The Arch Linux security team revoked the maintainer’s privileges and purged the malicious entries from the AUR by July 18 at 18:00 UTC+2.
A security advisory was issued, urging users to search for the infected packages via pacman -Q firefox-patch-bin and related names, uninstall them, and inspect /etc/systemd/system/rat-agent.service for removal.
Users who believe they installed any of the compromised packages should immediately remove them and audit their systems for the aforementioned persistence artifacts.
Security best practices such as verifying PGP signatures on AUR submissions, leveraging arch-audit for vulnerability scans, and confining AUR builds to isolated containers can mitigate future supply chain threats.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post Hackers Injected Malicious Firefox Browser Packages to Arch Linux User Repository appeared first on Cyber Security News.