Now acknowledged: https://archlinux.org/news/active-aur-malicious-packages-inc...