That's correct, orphaned packages could be adopted seemingly automatically, so someone did and then published malware in bulk.

Yes and honestly super kudos to paru's creator for the nagging warning about installed orphan packages that made me remove them immediately.

So with a dozen of various systems running arch/cachyos for various purposes, 0 impact.

We seriously dodged a bullet though, should we have some kind of AI spotting shady activity before it hits the userbase?

Not even "packages" in the distro sense. You can't use software installed with Arch to install this stuff via any path that isn't isomorphic to rebuilding the package yourself.

This was the AUR repository, which is the community-maintained soup of non-distro packages. They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future. But they aren't really "Arch Linux". You need to deliberately enable and install tools to pull stuff from it.

Think of this as Steam or Chrome. You can install those on Arch, and people do, but if Chrome extensions or Steam games suffer an incident like this you don't blame the distro.