If you installed certain packages from the AUR (Arch User Repository) in the past few days, you might have been infected with a RAT (Remote Access Trojan)—specifically, the Chaos RAT.

The compromised packages are: -librewolf-fix-bin -firefox-patch-bin -zen-browser-patched-bin

Three other suspicious packages were also removed: -minecraft-cracked (this one targets kids looking for free games) -ttf-ms-fonts-all (pretending the normal ttf-ms-fonts package is incomplete) -vesktop-bin-patched (Vesktop is a popular Discord client)

All these packages installed the same malware: Chaos RAT, which gives attackers remote control over the infected system, potentially allowing them to steal data or perform other malicious actions.

If you installed any of these packages, do the following immediately:

-Remove the package with pacman -R package-name. -Check for a running process called systemd-initd (this is the RAT in disguise; it may hide in locations like /tmp). -If you find it, kill the process and seriously consider reinstalling your entire system, as RATs are difficult to completely remove and may have left backdoors or caused further damage.

Note: The malware was downloaded and executed during the installation of these packages, so just uninstalling may not be enough—comprehensive checking and possibly a full system reinstall are recommended.

For future safety, review AUR package PKGBUILDs before installing and be cautious with non-official packages, as AUR has no formal review process.

Also : https://youtu.be/kGubIjUVM-E