Of course not. It was a completely separate fake package called google-chrome-stable. Unless you actually installed that package, it would not have pulled it in.
You can search your pacman.log for google-chrome-stable.
Thanks I did not think it would just thought I would ask.
1 Like
Well, installing the google-chrome from the AUR still comes with the privacy related issues as the ‘.deb package is directly pulled from googles server. That’s won’t be as severe as a remote access trojan. But based on googles thirst for data mining and targeted ad practices some may consider it as a malicious software package as well 
In short, ungoogled-chromium-bin would be a better choice, imho. As googles webservice integrations are removed.
And as new package related to a widespread software within the AUR won’t be the first hit of the package search results, I don’t think that this rat and the other incidences which also used browser related naming patterns really were deployed successfully. In comparison: google-chrome retrieved 2209 votes and a popularity score of 10.04, has been updated only a few days ago. I guess nobody would choose a fresh package, without any votes or 0.00 popularity rating.
It’s essentially targeting machines with fresh installs where the user wants to install a browser quickly and relied on auto completion when using pacman / yay in the terminal. Then google-chrome-stable might sound like a good choice.
1 Like
^^^ apples and apples, yes 
. chrome proper and chrome w/remote trojan. que differencia?
I agree as I use it daily. It’s a bear to setup from stuff like the chrome store fake-out, to installing your own dictionary but it’s worth it to me.
targeting low-hanging fruit, which I sometimes am in my haste
I definitely think we’re going to see more incidents like this happening as Linux, especially Arch based distros, become more popular from pewdiepie’s video and steamOS. A lot of Linux converts are likely going to install browsers like chrome or edge without understanding how the AUR works, how to read pkgbuilds, or how to interpret the voting system, which makes these packages prime targets.
1 Like
Thank you for this. Emphasizes the need to make sure you know what a pkgbuild is doing BEFORE you run it. Personally, I avoid the AUR but for my printer, I need to use the brlaser-git package.
This also illustrates FOSS is not immune to virus, supply chain compromises, or other attention from bad actors.
1 Like
Well, it’s a well known and pretty obvious fact that the AURs voting system is only being used by a small percentage of the AURs users. Which I assume is also comparable to the rate of AUR users that don’t skip studying the PKGBUILD of each individual package (Which I also tend to not do).
Those packages are more likely to be installed, as the names are closer to the usual package names in the AUR. And they don’t pretend to be some random patches, but the browser itself.
Keep your eyes open, there’s something going on. 
1 Like
If I was a statistician–which I’m not–I would think the chances of getting an aur-rat remain identical to when before the fff/wolf/zen guy showed up. Which is astronomically low. Statistically I would think your browser extensions would sell you down the river way before anything in the AUR would.
I don’t think the sky is falling but this kind of thing will produce copycats without doubt. It’s a novel, even creative, way to social engineer something to one’s advantage: linux users cannot have enough browsers :).
While I am, strangely, all about the numbers today I would wager a Fin that in the next 7 days some saintly diligent auditor will find a RAT or similar that’s been there for weeks..
Remedy? Don’t even know where to begin.
Viva la peoples that keep a watchdog eye on package content. They are the heroes to me.
Which is why I avoid browser extensions at all costs. Most people don’t know all browser extensions can read 100% of the traffic passing through your browser. If you trust the extension dev, fine, but in the case of a malicious extension masquerading as a legit extension, you are hosed.
1 Like
Err…why do you think this? If that were the case, what would be the point of browser extension permissions?
only the famous UBO and and a very aggressive extension called noscript on this browser.
I don’t know either dev though 
NoScript is redundant with uBO.
You just need to select “I am an advanced user” and add the following rules:
* * 3p-frame block
* * 3p-script block
Then you can selectively allow script sources from different third parties, etc.
This is the minimum for the “Medium Mode” of uBO, and is outlined with images and such here:
Gorhill is the dev of uBO and is considered highly trustworthy.
Do you know the story of uBlock:Origin? Why its called that?
Well .. many years ago Raymond Hill (Gorhill) created the wonderful uBlock. It was moderately successful and gorhill sold it. To what appeared to be a reputable company. Then they made uBlock into one of those crappy not-very-good-at-all-blockers that track you etc. Gorhill then spread the word and recreated uBlock .. this time uBlock:Origin and pledged it would always be free and effective. Even refuses any donations because they dont want to be ‘influenced’. Raymond is an internet community asset.
4 Likes
I’m skeptical of this redundancy you speak of because UBO is way passive and noscript itself cripples entire pages and makes them unusable the way I like them…their ootb behaviors are radically different for me to see the redundancy. But I’ll trust you since you invented the awesome MaClean.
But the 3p thing seems a world of possibilities. I will play with this. Thanks for the article. Reading it now.
Or disallow the crap out them
EDit: I knew Gorhill’s role is special. I was always pissed at him for abandoning his other project that resembled noscript and was superior to UBO. Forgot name but I used it for years. He is a good fella though.
uBO is not passive.
And with the rules shown above (or more, like 1st-party) it can be just as disruptive as NoScript.
I just disabled 1st-party for endeavour and then the page is broken, just loading infinitely;
Well yeah thats the point.
Block all third party by default.
You generally dont want to .. but I also disallow 1st-party on some places.
Like youtube for me 1st-party is blocked along with 3rd-party but does require a few allows;
You mean uMatrix..
And thats because, as mentioned above, its redundant with uBO configured correctly.
2 Likes
perhaps it psychological?
the great thing about umatrix and noscript is they put the hammer down immediately and you have to learn what you can disable incrementally to make a page sorta functional, like ebay or your bank, for instance. So you learn by how to back off.
To make UBO uber-effective you learn by adding. Hey, I’m always down to try. One extension would be my minimalist dream.
So you know the screenshots I keep showing?
You just click the red part of the left hand side of the section for 1st-party (3rd-party already assumed implemented) and it will be globally blocked as well.
The same can be for ‘inline-scripts’ and ‘3rd party’ (in general - not just scripts).
You then have “NoScript” for all pages and you must selectively allow (using the same grey/red boxes on the right hand side) each script source for any page.
PS.
This would be the same for the original 3rd-party noop rules.
You dont need to use the text rules, you can use the GUI boxes.
But the equivalent for them all together would be
* * 1p-script block
* * 3p block
* * 3p-frame block
* * 3p-script block
* * inline-script block
1 Like
I got it, it’s all good.
that is gold right there, and probably where I’ll start.
nobody reads this
aur also has pgp but there is a certain way to use aurvotes etc… Makes it easier if 0 votes to check if its new but dont use it as a extra repo
2 Likes
What practical value does SElinux provide on a computer with a single user account? Arch Linux and arch-based distributions are typically used on personal computers with a single user account, and not in corporate organisations where more elaborate security policies and access controls are required.