[SECURITY] firefox-patch-bin, librewolf-fix-bin and zen-browser-patched-bin AUR packages contain malware - Aur-general - lists.archlinux.org
lists.archlinux.org

On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT).

The affected malicious packages are:

  • librewolf-fix-bin
  • firefox-patch-bin
  • zen-browser-patched-bin

The Arch Linux team addressed the issue as soon as they became aware of the situation. As of today, 18th of July, at around 6pm UTC+2, the offending packages have been deleted from the AUR.

We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.

According to the gamingonlinux discord, the following packages are also suspected to be compromised:

https://aur.archlinux.org/pkgbase/minecraft-cracked/

https://aur.archlinux.org/pkgbase/ttf-ms-fonts-all/

https://aur.archlinux.org/pkgbase/vesktop-bin-patched/

https://aur.archlinux.org/pkgbase/ttf-all-ms-fonts/

If you have any of these packages installed, immediately delete it and check your system processes for a process called systemd-initd (this is the RAT).

Here is an analysis of the malicious payload: https://www.virustotal.com/gui/file/d9f0df8da6d66aaae024bdca26a228481049595279595e96d5ec615392430d67

    • patatahooligan@lemmy.world
      3·
      1 个月前

      <package>.install scripts which don’t have to be explicitly mentioned in the PKGBUILD if it shares the same name as the package.

      Can you show a reproducible example of this? I couldn’t get a <package>.install included in a test package I made without explicitly adding it as install=<package>.install.

      Most people claim they read the PKGBUILD (which I don’t believe tbh)

      If you don’t trust people to read PKGBUILD’s I’m curious which form of software installation (outside of official repositories) you find safe.

        • Tenderizer78@lemmy.mlEnglish
          2·
          1 个月前

          The way Nix handles things seems so cool. And if you want to prevent a program from doing things it’s not supposed to then a protocol that makes sure it has it’s own copy of everything it’s allowed to use would be necessary (if development isn’t gonna be super obtuse).

    • ArtixCory@lemmy.mlEnglish
      2·
      1 个月前

      You’re literally executing random shell scripts by strangers as root.

      You’re literally not doing that. Escalated permissions are needed for installing dependencies and installing the resulting package, not for building. Just try running makepkg as root and see what happens.

      • sudo@programming.dev
        3·
        1 个月前

        Yes you literally do when you install the package. You’re thinking of building the package. makepkg -i will prompt for root. pacman -U requires root. Both will execute the install() function of the PKGBUILD as root.

        • ArtixCory@lemmy.mlEnglish
          3·
          1 个月前

          Not every PKGBUILD contains a .install file. So again, it is not inherently the case that you’re “literally executing random shell scripts by strangers as root.” slackness has it right that most people probably don’t read the install files, but it seems to me that their prevalence in the AUR is overstated here.

            • ArtixCory@lemmy.mlEnglish
              2·
              1 个月前

              What am I making up? That most AUR packages don’t have a .install file? You couldn’t be bothered to say what I got wrong or provide any evidence to back it up so I can only assume. But if you have issue with me speculating about how common .install files are in the AUR, fine. Here are some numbers.

              Out of the 2500 packages I analyzed, only 19.08% of them had an install list in their PKGBUILD. One could very easily use the AUR and never, and I quote, “literally [execute] random shell scripts by strangers as root.”

              I also dug deeper regarding your claim that install files “don’t have to be explicitly mentioned in the PKGBUILD if it shares the same name as the package.” I can’t find any evidence of that. It doesn’t have to be listed in the sources, which is probably what you meant.

              Clearly these couldn’t be the things I’m wrong about, so I await your careful clarification.

              edit: Alright it’s clear that you’re not capable of grown-up discussion. You’re blocked.

  • Maragato@lemmy.world
    15·
    1 个月前

    The higher the percentage of Linux usage the more likely it is that these cases will occur. Most people use Arch because of the aur repository without reading the Pkgbuilds and installing random programs from that repository that give root access to the system. Aur is a security hole in Arch and should only be used for trusted sources and programs that are widely used by the community and yet it is still a security hole for a system. When analysing this issue years ago I understood that it is better for me to have a system with a strong security configuration done by experts in the field. For me a distribution has to have these basic security tools to be considered a secure distribution: secure-boot, selinux and firewall. And along with these tools, do not install anything from external repositories. Only by fulfilling these requirements can we consider that we have a security-enforced linux distribution.

  • odseey@lemmy.worldEnglish
    3·
    1 个月前

    This is a great time to double check what AUR packages you have installed and remove stuff you don’t need: pacman -Qm to check.