alt Hacker NewsThis feels like a non-sequitur.
Yes, the AUR is user-provided content. Yes, system administrators are responsible for being aware of what they’re installing. You can find many comments from me on this page discussing that.
An attacker being detected using an official service hosted by Archlinux for user-managed packages to push malware is still noteworthy.
I guess we have very different takes on this; I wouldn't expect Slack or WhatsApp to publish security advisories if one of their users used them to spread malware among a tiny cohort of other users, which is about the right level of responsibility Arch places on itself (and it's very clear about this) w.r.t AUR.