Arch AUR Under Fire Once More as Malware Resurfaces

Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.

The AUR (Arch User Repository)—a community-driven collection of software contributed by Arch users—has long been seen as one of Arch Linux’s biggest strengths, often called its hidden gem. But over the past two weeks, it’s been stirring up some serious concern among its massive user base.

Just ten days ago, a few software packages in the AUR were found to contain a Remote Access Trojan (RAT), hidden in packages tied to some of the most popular web browsers. Of course, the AUR team acted quickly and pulled them right away. But now, here we are again—it’s happened all over.

It’s pretty shocking that this time around, the situation is almost exactly the same—a package called google-chrome-stable doesn’t just install Google’s browser, but also runs a RAT on your system. That kind of malware can potentially give attackers control over the infected machine, letting them steal data, install more malicious software, or spy on users.

The package in question was uploaded earlier today by a user who had just registered a few hours ago under the nickname forsenontop.

The user account that uploaded the malicious software to AUR.
The user account that uploaded the malicious software to AUR.

So, what’s actually going on? In the AUR’s PKGBUILD for the google-chrome-stable package, there’s an install directive that points to a file called google-chrome-bin.install. That file, in turn, calls a launcher script named google-chrome-stable.sh.

But if you take a closer look, you’ll quickly notice something suspicious—before Chrome even starts, the script runs a python command that pulls in an external resource. That resource then downloads and launches malicious software every single time you start Chrome.

Just for clarification, the -c option tells Python to execute a command passed as a string directly from the command line.

AUR package (google-chrome-stable), injected with malware.
AUR package (google-chrome-stable), injected with malware.

The good news—if you can call it that—is that the google-chrome-stable package was available on the AUR only for a few hours before the malware hidden inside was discovered. Still, it did get a few upvotes, which suggests at least some users ended up installing it.

Thankfully, once the report came in, AUR admins acted immediately and pulled the package. So, if you installed it, make sure to remove it right away and do a full security check on your system. But honestly, in a situation like this, doing a full OS preinstall is really the only guaranteed way to fix things and give you peace of mind.

In the end, this latest incident brings up the same old question: just how safe is it to use software from AUR? One thing needs to be clear, though—Arch developers aren’t responsible for what’s in the AUR. The software there is completely contributed to and maintained by the Arch community, and the Arch team does not officially support it.

That said, it’s probably a smart move to tighten the rules around how software gets uploaded there. This latest incident shows just how easy it is for a completely fake account—created just a few hours earlier—to upload something with a name like google-chrome-stable. And let’s be honest, a name like that looks totally legit to most people. Without taking a closer look at what’s actually inside, a lot of users just go ahead and install it.

Looking at the pattern, it’s clear that browsers are the go-to target for spreading malicious software—just like in the previous incident. And honestly, that’s not surprising. Browsers are among the most popular and widely installed apps out there.

So, next time you’re about to install something from AUR, take a second to check if the package has a solid track record. A package with some history behind it gives you at least a little peace of mind. But whatever you do, never install something that was just uploaded and has no background—no matter how trustworthy the name might sound.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

15 Comments

  1. Zephyr

    On the one hand, it’s good that this “hacker” is so inept as to only target software that have base packages (you use aur for stuff not in the repo, and chrome is definitely in the repo), on the other it’s a little bit worrying. Perhaps there should be at least automatic scanner running on the AUR servers to scan every new package for known malware (unpacking the package and running a basic signature check against any executables) before making said package officially downloadable to the public? That process could be done automatically.

    1. Alex

      Chrome is NOT in the repo (probably for legal reasons). Chromium is.

  2. Clark

    AUR has a security advantages on PPAs or many other third party repositories.
    You can read and check the install scripts, it’s straightforward to read and you immediately see what it does and where it gets it’s data, where the others third party repositories are mainly already compiled black box you install without being able to check anything.

    But (new Arch) users need to learn that they have to check what they install instead of just clicking “ok”.

    AUR gives us this possibility and using our brain will always be the first and best antivirus.

    Education to safety is the best option to stay safe on Linux.

    1. Zephyr

      While I agree with you about that, still there could be a security scanner on AUR end of things, that would build the package in a dummy environment and then run a signature scan against known malware (both Linux and Windows as recently there’s a trend of malware vendors making their code Wine-compatible). That process could be done automatically on each new package upload.

      1. Clark

        The first malware some days ago was recognized by virustotal…
        May be they may use the virustotal API to automatically check new install scripts.
        But it will only be for malware in install scripts.
        There is to check where the install script download the sources/patches (or binary package) from to install it.
        If it gets a deb package from HP servers to install a printer driver, it’s okay, but getting this same package from an unknown GitHub or another server… warning.
        Hard to automate this checks (AI may in some times perhaps 😉 )

        1. Tom

          nothing is going to change and virustotal is not enough since malware can be hidden in a compressed format plus malware can be downloaded after the fact. I have never used software sources hat are not from trust worthy common companies or projects and now a days you can get almost anything you want from official sources. The majority of linux users that have joined for privacy reasons or that are anti big tech have no idea how to code let alone check for malware. Heck the ssh backdoor a year or so ago that threatened almost every distro was only discovered by accident and the few people that are checking anything at all are not checking the majority of the stuff on there. Both snap and flathub offer official sources as options and so do most major software projects. I see no reason for this dumpster fire of a software source nor would I allow any device on my network that used it.

    2. Anonymous

      Surely, relying on every single user to check the security of every piece of software they install from repositories is extreme duplication (well, multiplication) of work, and not a reasonable security strategy?

      1. Clark

        Packages have a score. When you see an old package with high score… you can think it’s safe, but when it’s a brand new package, yes you should read the install script.

        AND YES YES YES!!! It’s one of the most perfect strategy!
        AUR install scripts being simple text files, they allow to do that.

        Arch is about it’s community and even more AUR (arch USER repository).
        Each user of the community is able to be part of it’s security simply by checking what he installs.
        THAT what is called community spirit! Act together for everyone greatest benefit!

        People seem to forget that about Linux nowadays…

  3. Josef

    I also think that this is a foolish, organized effort by unscrupulous actors to push through stupid Flats or Snaps packages or undermine people’s trust in Linux.

    1. Anonymous

      People have always been pushing malware. Doesn’t require a deep conspiracy. Occam’s razor, dude…

  4. Jaime Antonio González

    AUR has been the same from the very beginning… and there wasn’t issues like this until now… either it went unnoticed for several years, or there’s an organized effort by bad actor(s) to either push “modern” packaging (like Snaps or Flats) or to undermine people’s confidence on Linux.

    1. Zephyr

      Malware being pushed so hard is a sign that the Year of the Linux Desktop might be upon us. Jokes aside, perhaps malware vendors just target the popular distros because they see that Linux is on the uptake. So they target the most commonly used distros (Arch & Debian and any related such as Manjaro, Ubuntu, Artix, Mint, etc.) to get to people’s stuff.

    2. Anonymous

      No reason to go all tinfoil hat. People have been trying to push malware for essentially as long as there has been an internet.

  5. Matt

    Arch is rubbish and it already lacks modern security features like selinux and besides that it would take a team of people likely years to fully take advantage of it since most people will never fully understand it and apparmor is basically doing nothing without more effort and additional steps which can also take some time without a team of people improving it for everyone. Arch has been last to adopt other security features over the years also. These rubbish packages that arch allows should just be dropped, removed and blocked from the distro since only trustworthy sources should be used and warning people about the dangers is not enough since people have no idea what is safe and will use the rubbish unsafe packages anyways.

  6. FabioLolix

    also for ttf-mac-fonts-all [PRQ#74992], ttf-ms-fonts-all [PRQ#74993], chrome [PRQ#74997], google-chrome-bin [PRQ#74996]

    > It’s pretty shocking that this time around […]

    honestly not

Leave a Reply

Your email address will not be published. Required fields are marked *