Malware Found In AUR Source or Build Script For Firefox

[Zema Bus]

While the Arch Linux AUR repository can be popular for fetching some packages not found in Arch Linux proper, it's important to keep in mind that AUR stands for the Arch User Repository. These user packages aren't always the best and rarely can be done with malicious intent as shown this week with an advisory over several malicious browser packages being briefly pedaled through AUR.

An Arch Linux user on Wednesday uploaded malicious AUR packages of firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin. These AUR packages ended up installing a binary file from a GitHub repository that ended up being a remote access trojan.

Arch Linux administrators were made aware of these malicious packages and as of Friday they were removed. It's important to reiterate that these malicious packages were just in the Arch User Repository (AUR) and were not part of the official Firefox browser on Arch Linux or similar. In any event a good public service announcement to remind users to exercise caution when relying on Arch Linux's AUR, Ubuntu PPAs, third-party Flatpaks / Snaps, and other user-contributed packages not always vetted by Linux distribution vendors.

More information on these compromised AUR packages via the Arch Linux aur-general mailing list.

From phoronix.com

[Grogan]

That's why it's important for users to understand what they are building. I look over every PKGBUILD (I'd do it anyway to see what I want to change). If I'm taking a PKGBUILD from AUR, I certainly intend to modify it, I'm just using it as a starting point to build something my way. I often have to gut a lot of silly things from them.

I'd never use a binary repack in the first place either (again, I'd see that and say fuck off and delete it), those are silly. Why can't I just go and get the binaries and run them as intended, (if I were inclined to use binaries)