Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)
Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
You do have the choice to simply not use the AUR. Has nothing to do with using Arch or not.
And no one has ever claimed the AUR to be safe.
yeah, it’s essentially, you want software that’s no the official repo go there.
True, I also have a choice to use a distro that delivers the software I need in the main repo.