Why would it be? AUR is user generated content by definition, you're expected to read and understand every package before using it, which is repeated in documentation ad nauseam. They're very, very explicit about this and that you're on your own when using AUR.
All decent AUR helpers (which arch developers advise against using anyway) force you to read through the packaging script and confirm that you understand it and are fine with what's about to be executed.
It's no more of an issue than someone posting a malware script into e.g. the wiki. Much less obscure than malware in npm or anything like that.
alt Hacker News
Why would it be? AUR is user generated content by definition, you're expected to read and understand every package before using it, which is repeated in documentation ad nauseam. They're very, very explicit about this and that you're on your own when using AUR.
All decent AUR helpers (which arch developers advise against using anyway) force you to read through the packaging script and confirm that you understand it and are fine with what's about to be executed.
It's no more of an issue than someone posting a malware script into e.g. the wiki. Much less obscure than malware in npm or anything like that.