Per the Wayback Machine the username used was danikpapas. As far as Google and duckduckgo know these are the only packages theat username ever uploaded. Considering the purpose was crime it's likely that that username was "stolen" and the person using it on other sites wasn't the same as the one doing this...

The AUR is arch's repository of untrusted user maintained read-the-source-before-installing packages. There's really not much that can be done to prevent similar issues in the future... because the whole purpose of the AUR is to allow random people to upload packages.

Arch doesn't ship with any way to install AUR packages other than downloading the tarball and building them locally. Tools for installing the packages usually force you to read the PKGBUILD that controls the build process (including getting sources) before letting you build the packages. I.e. the reasonable steps have already been taken.

Edit: firefox-patch-bin was first submitted to the AUR 2025-07-16 21:33 (UTC), so less than two days before removal.

They are/were AUR packages it seems, anyone can spend 2 minutes and upload essentially anything there, like npm and similar. It's not necessarily a "maintainer" per se, as like the people who manage the packages in the proper Arch repositories, but entirely separate.

With that comes the same warning as downloading random stuff from the internet and executing it, you need to carefully review everything before running/installing it, as you're basically doing a fancy version of "curl | bash" when using the AUR.