A quicker alternative:
comm -1 -2 <(pacman -Qq | sort) <(curl -s https://gist.githubusercontent.com/quantenProjects/3f768dce7331618310f016d975bf8547/raw/beef579f8a8efeed6ccf60788e5b768775550095/packages | sort)
I had 15 of the infected packages installed! Luckily I have not updated any of them during the campaign. The full script checks this (in a fairly brittle way) but this comm one-liner does not.
It seems like the AUR should change the orphan recovery process, and helpers should probably offer a minimum package age feature like pnpm.