{
	"id": "5c3de3b9-3aa9-4104-a65f-ce2d13711c47",
	"created_at": "2026-04-06T00:10:08.781189Z",
	"updated_at": "2026-04-10T13:12:12.590088Z",
	"deleted_at": null,
	"sha1_hash": "cad6a911e2c04890d4361a35ceb4c661a97ed1db",
	"title": "Malware Found in Arch Linux AUR Package Repository",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 610276,
	"plain_text": "Malware Found in Arch Linux AUR Package Repository\r\nBy Catalin Cimpanu\r\nPublished: 2018-07-10 · Archived: 2026-04-05 16:12:56 UTC\r\nMalware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official\r\nArch Linux repository of user-submitted packages.\r\nThe malicious code has been removed thanks to the quick intervention of the AUR team.\r\nInfo-stealer found in \"acroread\" Arch Linux package\r\nThe incident happened because AUR allows anyone to take over \"orphaned\" repositories that have been abandoned by their\r\noriginal authors.\r\nhttps://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOn Saturday, a user going by the pseudonym of \"xeactor\" took over one such orphaned package named \"acroread\" that\r\nallows Arch Linux users to view PDF files.\r\nAccording to a Git commit to the package's source code, xeactor added malicious code that would download a file named\r\n\"~x\" from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.\r\nWhen the user would install the xeactor package, the user's PC would download and execute the ~x file [VirusTotal, source\r\ncode], which would later download and run another file named \"~u\" [VirusTotal, source code].\r\nBesides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file\r\nat every 360 seconds.\r\nMalware didn't do much\r\nThe purpose of the second file (~u) was to collect data about each infected system and post these details inside a new\r\nPastebin file, using the attacker's custom Pastebin API key.\r\nCollected data includes details such as the date and time, machine's ID, CPU information, Pacman (package manager)\r\ndetails, and the outputs of the \"uname -a\" and \"systemctl list-units\" commands.\r\nNo other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely\r\ncollecting data in preparation for... something else.\r\nThere isn't a self-update mechanism included, meaning xeactor would have needed a second acroread package update to\r\ndeploy more intrusive code, or potentially another malware strain.\r\nTwo other yet-to-be-named packages also found infected\r\nThe AUR team also said it found similar code in two other packages that the xeactor user had recently taken over. The\r\nfollowing packages and versions were known to be affected:\r\nacroread 9.5.5-8\r\nbalz 1.20-3\r\nminergate 8.1-2\r\nAll malicious changes to all three packages have now been reversed, and xeactor's account has been suspended. The AUR\r\nrepository should not be confused with official pacakges in the Arch Build System (ABS). AUR packages are user generated\r\nand submitted to the repository, while ABS packages are official packages from trusted sources. The Arch Linux team has\r\nwarned users for years about verifying each AUR package before installing it.\r\nThe Arch Linux team is the second Linux distro that has found malware on its user-submitted package repository this year.\r\nIn May, the Ubuntu Store team found a cryptocurrency miner hidden in an Ubuntu package named 2048buntu.\r\nhttps://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\r\nhttps://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/"
	],
	"report_names": [
		"malware-found-in-arch-linux-aur-package-repository"
	],
	"threat_actors": [],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cad6a911e2c04890d4361a35ceb4c661a97ed1db.pdf",
		"text": "https://archive.orkl.eu/cad6a911e2c04890d4361a35ceb4c661a97ed1db.txt",
		"img": "https://archive.orkl.eu/cad6a911e2c04890d4361a35ceb4c661a97ed1db.jpg"
	}
}