That is weird. Vivaldi is Arch Packages list and so is Firefox. While Google Chrome and Brave are both in AUR. No wonder Google chrome was chosen as the target. The worlds most widely used browser became a vector of attack.
The Linxiac article is revelatory. The infected chrome package disables all the configuration done by google chrome and stored in ~/.config/chrome-flags.conf then it goes ahead and contacts the server segs.lol. After doing a reverse lookup, ping and DNS query it is found that this server has a IP address of 104.21.90.193 and is hosted in USA. This domain was registered on June 19th 2025.
