Arch Linux AUR Breach Chaos RAT Delivered Through Malicious Packages
The open-source ecosystem faced a major security scare this month as Arch Linux pulled three malicious packages from its Arch User Repository (AUR) after they were found to be installing the CHAOS remote access trojan (RAT) on Linux systems. The Incident On July 16, 2025 , a threat actor using the handle “danikpapas” uploaded three seemingly benign packages to the AUR: librewolf-fix-bin firefox-patch-bin zen-browser-patched-bin Within hours, these packages began infecting Linux machines during installation. The malicious PKGBUILDs pointed to a GitHub repository controlled by the attacker ( zenbrowser-patch.git ). Instead of containing legitimate browser patches, the repo executed a script that deployed CHAOS RAT , giving attackers full control over compromised devices. The packages remained live until July 18 , when the Arch Linux team removed them after community members flagged suspicious behavior. 🕵️ How the Attack Worked Upload to AUR : Attacker publishes...
.png)
