I wonder if this is really about compromised packages or rather in wider view trying to paint Arch, AUR as insecure.