If you installed the Firefox, LibreWolf, or Zen web browsers from the Arch User Repository (AUR) in the last few days, delete them immediately and install fresh copies.

A security warning from the Arch Linux maintainers highlights compromised packages of three of the leading Firefox-based browsers in the AUR. The distro hasn’t been breached. Unfortunately, the attack is a consequence of how Arch’s repositories are structured and maintained.

The warning concerns three browsers from the greater Mozilla family: Firefox itself; a fork called LibreWolf, which removes some Mozilla telemetry and otherwise tightens up Firefox’s security and privacy a bit more; and the fancy tiling Zen browser, which we looked at last year.

All three had compromised packages contributed to the AUR on July 16. The compromised packages were called librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin, and the modified versions reportedly contained a Remote Access Trojan (RAT). Less than two days later, the affected packages were identified and removed. If you installed them, then remove them immediately and then reboot. The official advice is to “take the necessary measures in order to ensure they were not compromised” – which is absolutely correct as far as it goes. The problem is, of course, that you need to have considerable Linux expertise to check for extra unknown processes running on your machine, or for extra traffic going through your firewall.

Arch is not one of the big-name distros, but it is one of the most used. As we reported last year, about twice as many gamers use it as Ubuntu. This may in part be because Valve’s Steam Deck runs it. SteamOS 3 is based on Arch, and the company has been investing serious effort into improving the base OS.

The reason you don’t hear about Arch quite so much is because the companies that make most of the noise in the Linux world, issue fancy surveys and so on, are mainly enterprise vendors. As a community-maintained rolling-release distro, Arch is the opposite.

This appeals to enthusiasts who have dabbled for a while and acquired some Linux knowledge. Arch has only a rudimentary installation program, and you have to install most of the components of your OS yourself. This gives certain types of user warm, fuzzy feelings of ownership and control.

It does make it harder to get a complete fully functional OS up and running, though, which is why there are multiple easier distros based upon Arch, but bundled with nice, easy graphical installers. As examples, we have looked at a few of these, including EndeavourOS, Garuda Linux, and Manjaro.

Between official Arch and the remixes, plus Steam Deck users, there are a lot of Arch users out there – and most of them aren’t likely to be used to conducting Linux security audits. Unfortunately, for non-techie Arch users who installed one of these browser packages, the most thorough solution is to back up all their stuff, reformat, and reinstall.

This is a snag of the way Arch works, but the “snag” is also one of the greatest strengths of the distro. Most distros only maintain official repositories with a restricted set of FOSS software. If you want an app that isn’t in the official repos – which often means proprietary freeware such as Chrome, Zoom, Slack, Steam, and so on – then you must use some external source of software, such as one of the big-name cross-distro app stores: the Canonical-backed Snap Store, or the Red Hat-backed Flatpak system and Flathub.

The AUR is Arch’s answer to this pickle. It’s a special package repo where skilled Arch users who have packaged Linux apps for their own use can upload and share their contributions. The AUR is separate and distinct from the main package repositories of the Arch project itself, which are called core, extra, and multilib, plus various testing repositories, and usually you must take some extra steps to add the AUR. On some Arch-based distros, you must use a different command to fetch software from the AUR, rather than the usual pacman command, which installs from the standard project repos.

So, as with so much in life, there’s a balance. On the good side, with just one extra step (adding the AUR), Arch users gain access to native packages of almost any and every Linux app in the world. But on the bad side, lots of these packages come from a chaotic free-for-all source that is largely unpoliced and occasionally contains nasty surprises. This is not the first time someone’s put malware in the AUR. The Register was reporting on it way back in 2018 and there are a lot more Arch users now than then.

This is not a unique issue. The same year, The Reg reported on malware in the Snap Store, and Canonical too banished them in two days. Even so, we reported on similar problems last year.

Other app stores have comparable issues. The bulk of Flathub’s apps are not official packages, and when we looked at Linux Mint 22, we noted that its setting to only show verified packages on Flathub left a very sparse menu. Unofficial packages caused problems for OBS Studio users on Fedorak, too. Malware has also cropped up on the Google Play Store, and more than once.

There is no easy answer to this. There are bad people in the world and always will be. The Arch project isn’t at any fault here. ®