Post Syndicated from jzb original https://lwn.net/Articles/1032193/

Linuxiac reports
that another malicious package has been uploaded to the Arch User
Repository (AUR). This time around the package was
google-chrome-stable, which installed a remote-access trojan
along with Google Chrome.

The good news—if you can call it that—is that the google-chrome-stable
package was available on the AUR only for a few hours before the
malware hidden inside was discovered. Still, it did get a few upvotes,
which suggests at least some users ended up installing it.

The Arch Linux project had to warn users about a similar attack
less than a month
ago when a user uploaded three browser packages that also
installed a malicious script identified as a remote-access trojan.