Executive Summary
Attackers adopted orphaned AUR projects and changed PKGBUILDs to install malicious npm dependencies that execute a native Linux payload. [1]
Sonatype reports modified AUR PKGBUILDs invoking npm to install atomic-lockfile, with later js-digest and lockfile-js activity. Its update says early reporting may put affected AUR packages around 1,500, but the investigation and count remain fluid. The Arch Linux mailing-list thread and aur-malware-check repository provide ecosystem response and a static checking aid. [1]