I use malware, BTW.

I bet it's NPM

(Checks list)

Yep, it's NPM

Oofta, like this is so vexing...Shows that Linux is getting a bit too much attention these days. I don't use the AUR specifically, just Chaotic-AUR and Extra, still ran that Fish script on Garuda Linux in case something snuck into my PC. The PC is clean as a whistle, thankfully. Malicious actors can get fucked for all the grief they cause and ruining of the good times of Linux enjoyers!

So 0.28% of the 140'000 packages?

Seems like not that much.

How many malicious packages are on Googles Play Store?

If this was 10 years ago I'd change my profile picture on Facebook to mark myself safe from the AUR malware.

For those who only have a few AUR packages installed, if you looked at the list and are still concerned, you can view the changelog at https://aur.archlinux.org/cgit/aur.git/log/?h=yourpackagenamehere. If it was secretly malicious but got missed, you'd see it there.

For people that just want to install packages that are not included in the Arch distro, and don't have the knowledge or time to review PKGBUILD files:

Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects. npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.

Every time I've had an arch distro (not often as I prefer to avoid them) and go to install from the AUR, I get to the point of checking the PKGBUILD and think "oh yeah, forgot about this" and just abort.