While the Arch Linux AUR repository can be popular for fetching some packages not found in Arch Linux proper, it’s important to keep in mind that AUR stands for the Arch User Repository. These user packages aren’t always the best and rarely can be done with malicious intent as shown this week with an advisory over several malicious browser packages being briefly pedaled through AUR.
An Arch Linux user on Wednesday uploaded malicious AUR packages of firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin. These AUR packages ended up installing a binary file from a GitHub repository that ended up being a remote access trojan.
Arch Linux administrators were made aware of these malicious packages and as of Friday they were removed. It’s important to reiterate that these malicious packages were just in the Arch User Repository (AUR) and were not part of the official Firefox browser on Arch Linux or similar. In any event a good public service announcement to remind users to exercise caution when relying on Arch Linux’s AUR, Ubuntu PPAs, third-party Flatpaks / Snaps, and other user-contributed packages not always vetted by Linux distribution vendors.
More information on these compromised AUR packages via the Arch Linux aur-general mailing list.
