Arch Linux

ttoirrah

Member

Registered: 2015-01-29

Posts: 61

aur-scan scan reports CHAOS RAT in nvidia-470xx-utils

I've been using nvidia-470xx-utils for my GeForce 700 series card for ages.
Alerted by the recent reports of malware in AURs, I scanned. Here:

$ aur-scan scan ~/.cache/traur/git/nvidia-470xx-utils
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:21
  Code:         'systemd-homed-override.conf'
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:22
  Code:         'systemd-suspend-override.conf'
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:294
  Code:     install -Dm644 "${srcdir}"/systemd-homed-override.conf "${pkgdir}"/usr/lib/systemd/system/systemd-homed.service.d/10-nvidia-no-freeze-session.conf
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:295
  Code:     install -Dm644 "${srcdir}"/systemd-suspend-override.conf "${pkgdir}"/usr/lib/systemd/system/systemd-suspend.service.d/10-nvidia-no-freeze-session.conf
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:296
  Code:     install -Dm644 "${srcdir}"/systemd-suspend-override.conf "${pkgdir}"/usr/lib/systemd/system/systemd-suspend-then-hibernate.service.d/10-nvidia-no-freeze-session.conf
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:297
  Code:     install -Dm644 "${srcdir}"/systemd-suspend-override.conf "${pkgdir}"/usr/lib/systemd/system/systemd-hibernate.service.d/10-nvidia-no-freeze-session.conf
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506
[CRITICAL] PERSIST-006 Systemd masquerading
  Binary named like systemd component is suspicious. CHAOS RAT used 'systemd-initd'.
  Location: /home/jo/.cache/traur/git/nvidia-470xx-utils/PKGBUILD:298
  Code:     install -Dm644 "${srcdir}"/systemd-suspend-override.conf "${pkgdir}"/usr/lib/systemd/system/systemd-hybrid-sleep.service.d/10-nvidia-no-freeze-session.conf
  Recommendation: Verify this is a legitimate systemd component
  Reference: CWE-506

- should I be alarmed?

Nikolai5

Member

From: North West, England, UK

Registered: 2024-01-27

Posts: 277

Re: aur-scan scan reports CHAOS RAT in nvidia-470xx-utils

You can look at the files its referencing, they appear to be environment variable overrides, I assume for features that the Nvidia driver doesn't play well with.

"Verify this is a legitimate systemd component", well its not, its just a configuration file to toggle a setting off.

Environment="SYSTEMD_HOME_LOCK_FREEZE_SESSION=false"
Environment="SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=false"

---

Ryzen 7 9850X3D | AMD 7800XT | KDE Plasma

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,213

Re: aur-scan scan reports CHAOS RAT in nvidia-470xx-utils

Don't remove that, https://bbs.archlinux.org/viewtopic.php?id=296954

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Tiikerihai

Member

Registered: 2025-06-25

Posts: 25

Re: aur-scan scan reports CHAOS RAT in nvidia-470xx-utils

You should read the pkgbuild yourself instead of using clueless AI. Everything in it is sourced from nvidia, so unless nvidia is installing CHAOS RAT (might be), this is a perfectly normal nvidia driver package.

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 25,246

Re: aur-scan scan reports CHAOS RAT in nvidia-470xx-utils

Moving to AUR issues