I installed a program via the repo (on Manjaro Cinnamon), and I found a program that pretty much proved to be malware.
In order to prevent flaming or false accusations here, I don’t fancy mentioning the details here, but I should have the Manjaro team look into it.
My approach would be
to ask whether $PROGRAM was intended to behave a certain way - whether what you observed is normal.
That way I would not accuse anyone of anything but still have everyone being able to look at your issue and possibly clarify right away.
If you would do it like that, you’d have to change the title, which pretty much is a foregone conclusion as of now. 
Good idea!
I installed Steam via the repo, whose client comes from some Github page. Now, I installed a non-Steam program to Steam, and when I browsed toward the game directory, the pulldown menus showed the content of directories that only SuperUsers should have access to, not even myself with my current login.
I am the SU of the system, but I wasn’t at the time that I started Steam, and naturally, I never run any game with root credentials.
I contacted Steam about it, and they told me that the Linux Steam client comes from some Github.
Another issue, perhaps related isue, is that Steam persistantly ignores the ‘disable cloud’ setting, and that it is extremely slow when logging in and starting games. Furthermore, at random moments, some Steam updater kicks in, proving that Steam runs things in the background.
So yeah, I am growing ever more wary of Steam, really.
And which might those be?
You can actually check the PKGBUILD · master · Packages / Multilib / steam · GitLab
And see that the source is this Index of /steam/pool/steam/s/steam/
And you can check further the validity of the package …
I have seen that before, and turned out that actually was 100% false positive. Unless you also provide the ways you arrived to your conclusion …
You can have custom location for your games. Without access to see those locations you could not set them up, but that does not mean that it can write on all of those locations. I really recommend this reading:
Please consult their knowledge base, it is stated quite clear what is what
The only directories a normal user can’t see inside would be /root (the root users home directory) and other users home folder. And maybe a couple of subfolders inside /etc/. The rest is viewable by regular users just not writable.
There is no malware in the repo.
A normal user can read almost anything on the system but only permissions to write to the user’s home.
When/If you install custom packages using AUR buildscripts, then you are responsible for validating if the application’s behaviour is within your acceptable parameters.
Using what?
Examples?
Also, i would refrain from concluding of a malware presence because the software give you “access to repositories you shouldn’t have access to”. In order to last the longer possible, malware shall rather make their intrusion unnoticed for the longest time possible, thus avoiding giving itself away this obviously; unless it is a damaging type malware, in which case it acts from the get go to wreck your system.
They were the content of some mount points that I made in /mnt, and which have the credentials root:root 700. Even I myself get to see a little ‘x’ mark on those directory icons, and when I try to open them, Linux won’t do it.
The reason that I suspect malware is because it seems that Steam runs a program, next to the client, and that this alternative program has root permissions.
Atm, it is the only hypothesis that I have.
And it is not any program that can access those directories, including bash and nemo.
It’s pretty easy to re-check that.
The content of a directory with owner root and 700 permissions is only readable by root.
The steam client had to have root permissions to show the content of these.
It seems?
With such permissions that steam client should be able to show you the contents of the /root directory as well.
Is it?
Hence my suspicion. I’m hoping that anybody here could provide me with another hypothesis, hopefully including a way to solve this.
Thus, I think that the Manjaro Team should look into this in more details. But where do I report this?
The Steam client can not access the /root/ folder for example when I try, rendering all your theory bogus, on my side.
what is needed and called for is a check (on your part)
There are no secrets here in mine - as an example:
LANG=C sudo ls -al /root
total 36
drwxr-x--- 6 root root 4096 18. Okt 22:43 .
drwxr-xr-x 17 root root 4096 20. Okt 22:59 ..
-rw------- 1 root root 1008 16. Okt 09:05 .bash_history
drwx------ 5 root root 4096 22. Okt 08:46 .cache
drwxr-xr-x 4 root root 4096 21. Sep 19:40 .config
-rw------- 1 root root 20 16. Okt 01:59 .lesshst
drwx------ 3 root root 4096 21. Sep 19:40 .local
drwxr-xr-x 3 root root 4096 11. Sep 14:21 .parallel
-rw-r--r-- 1 root root 165 11. Sep 13:59 .wget-hsts
Can your steam client see these?
So far, you have nothing to report but suspicions based upon no evidence
and no one else can replicate what you say you can do.
Dude…look into what? You provided nothing. Write a useful post, what did you install, how do you run it, how to replicate it, etc.
sudo tree -L 3 -p /mnt
To replicate it:
sudo mkdir -p /testcase/content;
sudo chmod 700 /testcase;
sudo chown root:root /testcase
Now, open Steam, select Games → “Add a non-Steam game to my library” → Browse
Now you should find that you can browse into the /testcase directory, even though you yourself should not be able to access that directory.
Let me know plz how it went…
sudo mkdir -p /testcase/content
sudo chmod 700 /testcase
sudo tree -L 3 -p /testcase
[drwx------] /testcase
└── [drwxr-xr-x] content
Folder is not visible, since it cannot open /testcase :
Ah thanks. That is very helpful information. So, apparently, it is not a common issue.
How did you add the screenshot to your reply, and get the code tag to line up nicely btw?
I’ll see if I can drop my screenshots here for you to look into it…
Well… if you run steam with root permissions, then it will find it. 
Yeah just copy and paste it here (TL0 cannot since spam protection), but please don’t post screenshots of text. Use markdown code blocks for that.
Thanks for how-to-reproduce. And I can’t - steam runs as myuser.
Post:
ps aux | grep steam
Use 3 backticks (```) before and after code. And don’t post screenshots of terminal.