For people that just want to install packages that are not included in the Arch distro, and don’t have the knowledge or time to review PKGBUILD files:

Have a look into the Guix package manager. It works fine on top of Arch, and Guix has 31,000 packages now. Great for cross-language development and also suitable for early sharing of projects. npm support is a bit weak though, but packages written in Python, Rust, or functional languages are well represented.

For those who only have a few AUR packages installed, if you looked at the list and are still concerned, you can view the changelog at https://aur.archlinux.org/cgit/aur.git/log/?h=yourpackagenamehere. If it was secretly malicious but got missed, you’d see it there.

If this was 10 years ago I’d change my profile picture on Facebook to mark myself safe from the AUR malware.

So 0.28% of the 140’000 packages?

Seems like not that much.

How many malicious packages are on Googles Play Store?