A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
Chaotic is not just as problematic, thankfully. They have systems in place to flag suspicious changes for human review before letting them out and it has, so far, prevented them from shipping any compromised updates.
I thankfully hadn’t updated anything from the AUR for a couple of months (it doesn’t happen by default when I update the rest of my system) and was unaffected, and after looking at the list of things I had from the AUR, I didn’t need any of them… So I now have zero AUR packages on either of my systems.